Large law firms' secret information from big-money clients entice cyberthieves
“It’s an issue about the data, fundamentally,” says Jake Olcott, a vice president at BitSight Technologies, a cybersecurity rating company. “More organizations that have this sensitive data internally are doing better to protect themselves, and so the bad guys who are interested in this data are having to turn to what they perceive are the weakest links in the supply chain. That’s why law firms are such targets.”
Indeed, in the last five years, several large firms have been targets for cybercriminals of all shapes and sizes:
In 2014 and 2015, authorities say, hackers involved in a massive insider-trading scheme breached several major Am Law firms, including Cravath, Swaine & Moore and Weil, Gotshal & Manges.
In 2012, Washington, D.C.-based Wiley Rein was doing work relating to solar panel design when it was hacked by actors believed to be connected to the Chinese government.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Perhaps most famous is what’s known as the Panama Papers. The German newspaper Süddeutsche Zeitung and the International Consortium of Investigative Journalists analyzed 11.5 million documents (2.6 terabytes of data) from Panama-based law firm Mossack Fonseca. The data, some of which was released in 2016, included confidential information of several prominent individuals, including current and former heads of state or government leaders from Argentina, Iceland, Saudi Arabia, Ukraine and the United Arab Emirates. The firm maintained that it had been hacked and denied that it was an inside job or their own fault for not updating software.
More recently, offshore law firm Appleby claimed that a cybercriminal had stolen 13.4 million documents, collectively known as the Paradise Papers, and turned them over to journalists. Some of the firm’s named clients include Apple, Facebook, Twitter and U.S. Secretary of Commerce Wilbur Ross.
According to Olcott, BitSight’s research indicates that the legal sector, “on average,” is “high performing” when it comes to cybersecurity.
As such, any improvement in performance could help deter cyberthieves. Kim Phan, of counsel at Ballard Spahr in Washington, D.C., points out that several years ago hackers aggressively targeted marketing firms. Once firms realized they were the target du jour for hackers, they invested in their digital security, and the hackers looked for another target. “I think we’re going to see some law firm breaches for a while,” she says, but the inundation of law firm hacks is “a fad right now.” Once the message is clear that law firms are serious about security, Phan believes, “then the hackers will move on.”
This article was published in the January 2018 issue of the ABA Journal with the title "Big Targets: With access to top-secret information from big-money clients, large law firms are an enticing target for cyberthieves."