The Federal Bureau of Investigation is looking into a string of attacks on prominent law firms, apparently aimed at stealing information that might be used for insider trading.
The news broke last week after the FBI issued a Private Industry Notification to law firms about attacks targeting “international law firm information used to facilitate business ventures,” according to this article at dataprivacyandsecurityinsider.com.
The notice cited posts in hacker forums looking for a “technically proficient hacker” who could help criminals get “sustained access” to the networks of multiple international law firms. The idea would be to monitor network traffic and collect “material, non-public” information that could be used to make strategic stock market bets.
In a statement released to the web site Threatpost, Cravath Swaine & Moore, a 197 year-old New York firm said that its computer networks were infiltrated in 2015, but was not aware of any information that may have been taken that was used inappropriately. The firm said it worked with “law enforcement authorities who have jurisdiction over this matter.”
This isn’t the first time that law firms have been the target of attacks. Both cyber criminal groups and nation-state backed hacking crews have been observed targeting attorneys and law firms for years. In January, 2012, for example, Bloomberg reported on a campaign from 2010 in which China-based hackers compromised a number of Canadian law firms in search of information about a takeover of Potash Corp. of Saskatchewan Inc. by BHP Billiton Ltd. Reports suggested the hackers were looking for deal information that might give outside firms a leg up in negotiations. Furthermore, this article in ABA Journal notes that firms often overlook vulnerabilities that can lead to successful attacks.
Firms are vulnerable because they are typically decentralized and IT dependent organizations that manage complex and sensitive documents. Laws and ethical guidelines protecting attorney-client dealings also complicate firms’ efforts to establish robust information security practices, the ABA article notes. It also makes it less likely that firms will disclose cyber incidents when they happen.
The challenges aren’t limited to law firms. Companies need to worry about the security of any data they entrust to third parties, including their law firm. And making data security and data protection part of the vetting process for these contractors and partners is probably a good idea.
Law firms are different kinds of organizations to be sure, but the steps needed to protect them from attacks are no different from those used by other small and mid-sized organizations. As this report by PWC notes: making a company’s senior leadership cognizant of the threat of hacking is critical. Beyond that, law firms should deploy a range of protections that are common: from employee training to malware and intrusion detection applications.
Law firms also need to understand which of their data might be of interest to hackers and why. Information relating to acquisitions, pending deals or technologies all hold special value for cyber criminals and nation state actors. Putting special precautions around assets that store that data and making attorneys and support staff aware of the myriad of approaches that bad guys may use to get at it will help prevent successful hacks from happening in the first place.