Law Firms Exposed: New Research Reveals a Growing Cyber Threat
In insight / By Phil Muncaster / 14 February 2018
If you work in the legal sector there could be bad news lurking just round the corner. Law firms are not only coming under increasing scrutiny from cyber-criminals keen to tap potentially lucrative client data, they’re making the hackers’ job even easier. A new report has revealed over one million email addresses and passwords linked to the UK’s top 500 law firms — all available on hidden corners of the web.
IT leaders need to get a handle on this now before GDPR regulators come knocking, or there could be some very serious fines heading their way.
One million problems
The study from threat intelligence firm RepKnight was compiled by scouring the dark web and paste and dump sites for 620 domains linked to the law firms in question. They were chosen from lists compiled by reputable sources such as The Lawyer, Law360 and others, and even include elite Magic Circle players. After just a few minutes of number crunching, RepKnight had found 1.16m email addresses — an average of 2,000 per firm. Even worse, 80% had an associated password, either stored in cleartext or hashed with a crackable protocol.
To be clear, these credentials weren’t available on underground crime sites because the law firm in question had been breached. Instead, they had previously been used by an employee to register with a third-party site which was subsequently breached, like LinkedIn. Some credentials may well be out-of-date by now, but the majority were posted to the dark web and data dump sites within the past six months.
This is bad news on several fronts. Even with an email address, an attacker could craft a convincing spear-phishing email designed to trick the user into handing over their password, or else installing data-stealing malware without their knowledge. If the hacker gains both password and email, and the password also works for the corporate network, they have the virtual keys to the kingdom: access to a trove of sensitive client data.
That’s not to mention the risk of Business Email Compromise (BEC). Typical “CEO fraud” works by the attacker tricking a recipient in the finance department to wiring a large sum of corporate funds to a third party source. If the attacker was able to hijack a CFO or partner’s mail account, they could craft a highly convincing money transfer request. It’s a tactic which is netting cyber-criminals big bucks: Trend Micro predicts total BEC losses will grow to $9bn by the end of 2018.
Why law firms?
The risk of a damaging breach or cyber-attack is not merely theoretical. In early 2017, three Chinese nationals were indicted after hacking into two major US law firms, using the data they stole to make $4m from insider trades. In addition, offshore law firms have been targeted in the past by hackers who have subsequently leaked damaging information on clients. The so-called Paradise Papers and Panama Papers detailed the sometimes dubious financial and tax arrangements of the rich and famous.
Clearly, the more sensitive information you hold, the bigger the target your law firm will be. Mergers and acquisitions data is particularly valuable, and a growing target not only for financially motivated cyber-criminals but also nation states keen to gather intelligence in various sectors including gas and oil exploration.
However, these factors are not a prerequisite to being targeted: cyber-criminals know that even on a smaller scale there will be lucrative information to find in the legal sector. Closer to home, NatWest claimed last year that 24% of SMB-sized law firms had suffered fraud-related losses or a cyber-attack over the preceding 12 months.
What you can do
There’s absolutely no sign that hackers will lose interest in law firms as potential targets, so the emphasis must be on building cyber-resilience. As the RepKnight report reveals, threats don’t necessarily come directly anymore, but can be the result of poor user practice outside of the corporate network. As always, a combination of people, process and technology is the best way forward.
Given the revelations detailed in the above report, IT leaders in law firms should consider:
Multi-factor authentication: for all internal accounts, to stop the bad guys getting in. It’s a great place to start as it means there’s no static password for them to even steal.
End-user awareness raising: you should be changing user behaviour via short bursts of training focused on real-world challenges. Employees should know how to spot phishing emails, and that they shouldn’t be using corporate emails to register for third-party services, or reuse passwords across sites.
AV and anti-phishing: invest in advanced tools from trusted providers for all endpoints.
Dark web monitoring: some firms scour the web to bring you the kind of intelligence listed above. It could prove a useful early-warning system.
Digital watermarking: adding these capabilities could also provide an early heads-up if sensitive data has left the network.
The above is just a guide; there are many more best practices for cybersecurity which law firms should be following, from regular patching to intrusion detection and continuous monitoring tools. The most important part is understanding what data you hold and then taking a risk-based approach to the application of relevant “state-of-the-art” security controls.
That’s the kind of thing GDPR regulators are looking for. Fail to convince them, and your next breach could lead to a fine far in excess of the maximum £500,000 the ICO is currently able to levy.
To find out how Nasstar's Professional Services team are helping clients through the GDPR process, contact a member of the team today.
In the meantime read our article on how GDPR will impact data management practices here.