According to experts, we may be on the threshold of a cybersecurity pandemic. It has never been easier for criminals to exploit security weaknesses, and the frequency of these attacks is getting startlingly high.
When businesses fall prey to a cyberattack, they may lose millions of dollars. It also damages their reputation, sometimes beyond repair.
In the world of law, there is a growing awareness of the risks posed by hackers and other malicious actors. However, law firms aren’t adapting quickly enough to the rising threat, and even the biggest firms can become targeted by attackers.
Let’s take a look at some notable law firm security attacks and what we can learn from them.
1. Email account security attack targeting medical files
Charles J. Hilton & Associates P.C. (CJH) is a Pennsylvania law firm that had a security breach in April 2020. The breach wasn’t immediately detected. Over the next several months, the hackers had access to CJH employee email accounts.
Unfortunately, this gave the attackers access to confidential client data. CJH provides legal services to the University of Pittsburgh Medical Center, and it handles some of the University’s sensitive patient information. The hackers obtained patient records that included insurance numbers, subscription and diagnosis history, disability history, etc. Over 36,000 people were impacted.
The Takeaway:
Protecting your law firm also means protecting your clients from attackers. Confidential data breaches can put people at risk of getting blackmailed and extorted, and there’s no way to undo that kind of damage.
2. Ransomware attack focused on celebrities’ personal information
The idea behind ransomware is simple: attackers use malicious software to obtain and encrypt the victim’s sensitive data. The only way to undo this encryption and get the data back is to give in to their demands and pay the ransom. However, there’s always a chance the attackers will keep a copy of the data and use it for further extortion.
REvil ransomware is particularly notable when it comes to large-scale attacks. In 2020, it was used to extort New York law firm Grubman Shire Meiselas & Sacks. This firm works with some of the biggest names in arts and entertainment.
The attackers obtained over 756 GB of data, including some confidential information belonging to Bruce Springsteen, Madonna, and other celebrities.
The Takeaway:
It’s extremely important to invest in top-range virus and malware protection. While it can’t prevent every attack, it’ll decrease the risk considerably.
3. Phishing attack targeting Social Security numbers and other personal data
In 2016, several large US law firms fell prey to a phishing campaign focused on W-2 employee forms. The two biggest firms impacted were Proskauer Rose and Jenner & Block. Thousands of people had their salary info and Social Security numbers handed over to hackers.
Phishing attacks rely on social engineering. The attackers pose as a legitimate contact - in the case of the Proskauer Rose attack, they impersonated a payroll employee. They request sensitive information (which can include passwords and bank account details) via email. The recipient of the email doesn’t notice that anything is wrong until they lose money.
The Takeaway:
Some cyberattacks rely on trust. Employees have no reason to question an email sent by their coworker, boss, or a trusted business partner. But it’s easy to spoof email addresses, and some attackers hack into legitimate email accounts.
+1. Advanced Computer Software data leak
Finally, let’s take a look at an inadvertent leak. While no deliberate attack took place in this case, the loss of confidential data put many law firm employees at risk.
Advanced Computer Software Group is a successful British company that provides hosting and cloud storage services to numerous businesses and organizations (including the UK’s National Health Service). In the spring of 2020, it was revealed that Advance’s online database had a glaring security weakness. Confidential information was leaked from 193 law firms. The leaked data included legal documents, as well as hashed passwords and partly-obscured personal information.
The Takeaway:
The software, apps, and cloud storage solutions we use jeopardize our security too. Even the most respectable software providers can pose a threat.
Don’t Get Complacent
It’s important to keep in mind that cyberattackers have much to gain by jeopardizing your firm, and their risk of discovery is minimal. The attackers are very rarely found, and some businesses never recover.
Big and small law firms are equally in danger. Once a security attack happens, the only thing you can do is disclose the damage to your client and try to assess how much information may have gotten out.
Prevention is much better than damage control. So make sure you understand how data loss works in 2021 and what you can do to secure your networks, databases, and employee email accounts.