Breaking the Law: How Legal Firms Get Hacked

9 minute read

A cybersecurity incident can happen to firms of all sizes, begging the question: How do legal firms get hacked in the first place? And why? Attorney Vincent Polley had the foresight to see the mounting challenges law firms would face years ago, stating at an American Bar Association Expo, “everyone in this room has been hacked. How you deal with it is the critical factor.”

As we continue to operate within increasingly remote and digitally dependent environments, the impact and regularity of cyber threats also continue to increase at a rapid rate. Firms that hold large amounts of money or sensitive, confidential information should consider themselves a target. That said, you would be hard-pressed to find a firm that doesn’t fall somewhere within one of these two categories, if not both. This is precisely why the industry as a whole should start perking its ears to the cybersecurity risks almost all organizations are facing today. When trying to pave a path forward, it’s best to start by understanding the challenges at hand, define the vulnerabilities and then move forward with a sound plan of action to build a cybersecurity program that fits your organization’s needs.

Why Law Firms are a Target

The latest breach to break the news points to why a law firm makes an appealing target for threat actors. Campbell Conroy & O’Neil, a US law firm “counseling dozens of Fortune 500 and Global 500 companies” disclosed a data breach following a February 2021 ransomware attack. Attackers were able to access “certain individuals’ names, dates of birth, driver’s license numbers/state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords).”

Unfortunately, firms are even more vulnerable to data breaches in the ever-evolving threat landscape than they have been in the past. To help paint the picture, take a look at some of the most significant data breaches on record:

“World’s Biggest Data Breaches & Hacks”
Source: Information is Beautiful

PwC Law Firms’ Survey 2020 “Embracing Change to Succeed” also weighs in with some targeted statistics for law firms. According to the survey, “cybersecurity remains a key challenge for law firms, and the sector is increasingly being targeted as firms hold both a wealth of sensitive data and large amounts of client money. This year’s participants deemed cyber risk the second greatest threat to law firms meeting and/or exceeding their ambitions in the period from now until 2022, with only COVID-19 ranking higher. Overall, 71% of Top 100 firms stated they were “somewhat concerned” or “extremely concerned” about the cybersecurity threat. For Top 11-25 firms, cybersecurity was ranked the greatest threat.” Surprisingly, cybersecurity does not appear to find itself as a top priority for most law firms surveyed. “Only 22% of Top 100 firms have a Cyber Committee that reports into the party charged with governance.”

“Percentage of Law Firms with Cybersecurity Committees Reporting into Corporate Governance Forums”
Source: PwC Law Firms’ Survey 2020 “Embracing Change to Succeed

Most law firms are run by attorneys with little to no background when it comes to cybersecurity or even security best practices as a baseline. Even if there is a larger management structure in place, areas of cybersecurity are left to the attorney’s discretion. These are lawyers without the required cybersecurity expertise who simply don’t have the additional time to brush up on building a sound security posture from scratch. Meanwhile, attorneys have inside details on mergers, patents and private or personal information, all waiting for the next cyber attack.

When considering these factors, it’s no wonder legal firms get hacked. A 2020 American Bar Association report pointed out that 29% of law firms reported a security breach, with 36% reporting past malware infections. The 2020 ABA Legal Technology Survey Report, highlighted only “43% of respondents use file encryption, 39% use email encryption, 26% use whole/full disk encryption. Other security tools used by less than 50% of respondents are two-factor authentication (39%), intrusion prevention (29%), intrusion detection (29%), remote device management and wiping (28%), device recovery (27%), web filtering (26%), employee monitoring (23%), and biometric login (12%).”

Attorney Sean Griffin describes the problem well in his past report detailing these rising challenges. “Additionally, law firms have information on their corporate clients’ employees, including medical information, financial information, and other data useful to hackers. This information is subject to a host of regulatory protections, including HIPAA … and a wide variety of state privacy and consumer protection laws. With this information, a business rival can outmaneuver a competitor, or a hacker can blackmail an individual from half a world away. As the FBI recently warned law firms, hackers see attorneys as a back door to the valuable data of their corporate clients.”

Attackers Law Firms Attract

The DLA Piper malware attack in 2017 was the first significant attack on a law firm that started to raise a red flag as to what might be on the horizon. A steady stream of attacks followed, with cyber attackers and their methods evolving at an alarming rate. If you are still of the school of thought, “it’s just the Fortune 500 companies at risk, this won’t happen to my firm,” you are sorely mistaken. Think of breaches at several well-known practices such as Seyfarth Shaw, Jenner & Block and Proskauer Rose, Grubman Shire Meiselas & Sacks and Fragomen, Del Rey, Bernsen & Loewy

Cybersecurity is not a one-size-fits-most, and it certainly is not a one-and-done process, especially when law firms handle and store sensitive data as part of their daily operations. An effective solution means evolving internal processes, training, systems and more to protect against current threats, as well as consistent monitoring to discover if an attack is underway and get business back up and running as quickly as possible. These steps are just the tip of the iceberg, although they are critical in both thwarting and mitigating a cyber attack, which typically attracts the following characters:

  1. State-sponsored organizations, such as the People’s Liberation Army of China, attack firms with advanced technological knowledge their government may want. State sponsors also attempt to derail mergers and acquisitions deemed “in the national best interest.”
  2. Organized crime syndicates such as “The Mob” employ hacking to gain information for extortion.
  3. Hacktivists like Anonymous are groups of people that steal information and take over accounts to advance a political agenda.
  4. Independent hackers invade networks for revenge, fun, notoriety or profit.

The basic path of hacking into an organization is relatively simple. The hacker first decides whether to use “bad code” such as a virus, Trojan or malware to invade systems and networks or use social engineering. Then they pick their target and attack.

Most bad code these days is malware: a semi-automated, slow and steady way to access information. Fully functional code samples can be purchased on illicit marketplaces and message boards for hundreds of dollars. The organizations that create malware sometimes employ hundreds of people—some even operating a help desk providing support. In a malware attack, hackers insert a piece of malicious code on a server or computer, which then sends passwords, files or emails back to the attackers’ system. Malware is also more frequently disseminated through social media and social engineering attacks.

Social engineering is an entirely different approach to extracting information than traditional malware attacks against systems. Falling prey to social engineering, law firms’ employees and partners accidentally provide essential information that can then be used to unlock data. Social engineering is often the fastest way to gain access to critical systems. In this type of attack, hackers can be in and out before anyone suspects foul play.

However, not all attacks come from an unsuspecting user simply clicking a link. In some cases, legal firms get hacked by just opening an email containing maliciously encoded images can be enough to infect a system. According to a 2020 IBM report, the average total cost of a data breach comes in at $3.86 million, with an average time to identify and contain a breach coming in at roughly 280 days.

Surprisingly, employees don’t need to take any specific action to be attacked and find themselves in a situation where existing security solutions, like antivirus software, cannot help. A law firm or any of its employees simply needs to have a social media presence to provide a forum for an attack. In one high-profile case, GoDaddy transferred ownership of a domain to a malicious party using information taken from a public social media profile. The hackers then gained control of every email being sent to the affected organization.

Most hackers gather information through phishing, which is the act of attempting to acquire information such as usernames and passwords or enticing the user to click on a malicious link by masquerading as a trustworthy entity. Although most phishing attacks traditionally happen through email, recent trends indicate that phishing attacks have continued to evolve and are on the rise.

Using the Campbell Conroy & O’Neil ransomware attack as an example, although it has not yet been disclosed how the malware was installed, chances are it began with a phishing attack that led to reusable passwords being compromised. This is a great case to share with your team if you are looking for support in requiring the use of multi-factor authentication, at a bare minimum.

Protecting Your Firm

The cyber threat to law firms is real, and it’s on the rise as we see more and more cases graze the headlines with double-extortion ransomware attacks and more. This challenge isn’t going away anytime soon, and the legal industry will remain a target as long as these targeted attack methods are successful and profitable.

To protect your law firm, you need to understand the unique risks your organization faces and the best plan of action to address them. Our highly skilled team of analysts, paired with intelligence from our robust protection and intelligence platform, understands the cyber threat to law firms in today’s digital landscape.

Download the “Buyer’s Guide for Digital Risk Protection” to learn how to identify what to monitor, the importance of remediation and takedown options, platform capabilities for AI-based threat intelligence and more. This resource is an excellent start to learning more about cybersecurity solutions that should fit your needs. If you want to learn more about what this might look like for your specific firm’s risks, schedule a demo today.

See ZeroFox in action