Despite enormous and increasing resources devoted to protecting confidential information, security breaches continue to plague the legal industry. Hackers are deploying some of the most sophisticated attacks ever seen, and law firms are a primary target. Law firms are storehouses of valuable information, of interest to everyone from organized crime to spouses in marital disputes.
Daniel Tobok of Digital Wyzdom Inc, a security consulting firm based in Toronto, said some in the legal world have been slow to realize just how serious the hacking threat is, although IT departments are doing the best they can. “Sometimes they have a false sense of security,” he said of companies in general. “After they get attacked, they understand that they have to invest a little more.”
A security breach can be an dangerous and expensive lesson for law firms, hurting not only their bottom line, but also the trust and confidence of their clients. It’s far better to learn from the mistakes of others than to wind up in the same situation.
Here’s just some examples of how lawyers and legal administrators are falling victim to hackers:
Last year, a law firm in Virginia fell victim to a spear phishing attack, with hackers infiltrating the firm’s email system and publishing confidential emails related to a high profile case. In addition, the hackers defaced the firm’s website and posted their own public message. Of the emails that were published, one read: “Because we did so well on the case, a group of reckless international hackers stole all of our law firm emails to publish on the internet today. Not sure how this will affect the business of the firm going forward, but for now, we’re not able to do any business.” In another email, an employee tells her mother not to open any email from her work address and closes with: “This may completely destroy the Law Firm.”
Another law firm in North Carolina reportedly got scammed over $300,000 after a hackers used a batch of emails with suspect links to install a keylogger on at least one law firm computer. With this keylogger, they were able to obtain the firm’s online banking passwords and make direct transfers into their own bank account. In this instance, the law firm not only lost $300,000, but is now involved in a litigation case with it’s own bank, which claims that under state and federal law they do not have to restore funds lost through fraudulent activity for commercial customers. In other words, the burden of loss is with the law firm.
In yet another example, lawyers at a major Canadian law firm working on the proposed acquisition of a Chinese company received emails that appeared to be from a partner working on the deal. The email was in fact a fake, and contained an attachment that included hidden malware. Once opened, it infected dozens of computers in the firm. Malware of this kind can sit on a computer undetected for months, stealing reams of information before anyone realizes security has been breached. And there is no question that sensitive information stolen from a law firm on an impending merger or acquisition has value: It could be used to sabotage a deal, it could be sold to rival bidders, giving them an advantage in negotiations, or it could be used to conduct illegal insider trades.