In the world of cybercrime, everybody from individuals to nation states is a target – some more attractive than others, of course. Health care organizations have gotten the most headlines recently, and the Internet of Things (IoT) offers an almost unlimited attack surface.
But law firms are attractive too. They hold sensitive, confidential data ranging from the personal (divorce, personal injury) to the professional (contract negotiations, trade secrets, mergers and acquisitions, financial data and more) that, if compromised, could cause catastrophic damage both to the firm and its clients.
The Wall Street Journal reported recently that hackers broke into the networks of two of the nation’s most prestigious firms, Cravath Swaine & Moore and Weil Gotshal & Manges, in 2015. The two, “represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations,” the Journal said.
The FBI and Manhattan U.S. Attorney’s office were investigating to see if the hack was aimed at getting information to use for insider trading.
Tom Brown, managing director and global leader of Berkeley Research Group’s Cyber Security/Investigations practice, said law firms are being targeted more, “possibly because hackers are looking to maximize their returns. If successful, they can obtain information on multiple clients through one attack.”
Tom Brown, managing director and global leader, Berkeley Research Group’s Cyber Security/Investigations practice
But while high-profile cases like those in New York make national news, many others don’t. Or, if they do, the firms are not always identified. The Cybersecurity Law Review (CSLR) reported recently that four firms in northern Virginia were hit by ransomware attacks late last year. But none of the firms was named.
And few firms are willing to talk publicly about it either. More than half-dozen attorneys did not respond to a request from CSO to discuss law firm breaches. This, according to the public relations representative of one firm, is due to, “sensitivities around the topic.”
Sensitive or not, it is an obvious and growing problem. As the Journal put it, the increase in hacking tools and hackers for hire has made it, “easier for criminals to breach computer networks as a way to further a range of crimes, from insider trading to identity theft.”
Rebecca Hughes Parker, managing editor of The Law Report Group, said the 2015 ABA Legal Technology Survey Report found that 23 percent of respondents at firms with more than 100 attorneys reported a security breach, and noted a recent report that a Russian hacker targeted 48 top law firms to access information on mergers and acquisitions.
Sign up for CIO Asia eNewsletters.