Cyberattacks Against Law Firms Expose Clients’ Sensitive Information

The mobile workplace has expanded the practice of law from wood paneled window offices to just about anywhere there’s a wireless connection.  And that’s made law firms target rich environments for cybercriminals looking to steal their clients’ sensitive information.

Few law firms will publicly admit to a data breach. But Mandiant, a cybersecurity firm that tracks industrial espionage, estimates that 80 major U.S. law firms were hacked in 2011 alone.

Law firms routinely collect information about their clients on a single network.  And it’s ironic that those networks are often far less secure than those of the corporate clients they represent.  That’s because law firm employees can unwittingly compromise their clients’ confidentiality when they post their cell phone numbers on social networks, use easy-to-crack passwords, click on malware infected phishing email links and review sensitive information at Wifi hotspots.

Law Firms Are a Back Door  to Clients’ Confidential Information

Criminal and state-sponsored hackers know exactly what they’re looking for from law firms – sensitive information that they can sell or exploit to give them a competitive edge.  That’s why their prime targets are firms that represent celebrities and corporate clients involved in big business deals such as mergers and acquisitions and international takeovers.

Because it’s widely known that attorneys’ files aren’t well protected from cyberattacks, it’s much easier for hackers to take the back door into stealing a company’s files by hacking its law firm’s files instead.

This year, Forbes reported that the FBI informed two partners at a New York law firm that all of its client files were discovered on a server in a foreign country.  The agents told them off the record that the files were sent from that server to China, according to Alan Paller, research director of the SANS Institute, a provider of security training and certification. Paller knows that because he met with the two partners of the law firm whose files were hijacked. They were seeking his advice about what to do.  But nothing could be done about their clients’ stolen information.

Law Enforcement Warns Law Firms About Targeted Cyberattacks

Since 2009, the FBI has been warning law firms about the rising risk of  targeted cyberattacks.  But last November, it took the unusual step of convening a meeting of the top 200 law firms in New York City to urge them to review their cybersecurity policies.

Mary Galligan, the head of the cyber division of the agency’s New York City office, found that some firms were well prepared.  But others had no idea of the danger.

“We’ve seen specific documents from law firms on specific deals being exfiltrated from cyberattacks,” said Galligan at a recent New York City law conference, according to The Wall Street Journal.  But the rising risk of law firm hack attacks isn’t only a problem in the U.S.  In 2010, seven Canadian law firms were penetrated by hackers; and four Toronto firms were hit later.

And the Director General of the British Intelligence Service MI-5 informed the 300 largest companies in the UK that their information was just as likely to be stolen from their attorneys and international consultants computers, as it was from their own computers, said security expert Alan Paller in Forbes.

Most states have laws requiring notification if data security has been breached.  And a small number of state bar associations have informed their members that they’re ethically obligated to keep up with technology and take appropriate steps to protect their clients’ sensitive information.

A committee of the State Bar of California issued a strong warning to its members about the lack of security features in most public Wifi locations.  It said that attorneys risk violating their duties of confidentiality and competence when they use wireless connections at coffee shops to work on clients’ material, unless they take appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. That’s the only way to protect confidential information online.

How to Stay Connected and Protect Client Confidentiality

If you’re an attorney,  it’s critical to control and monitor who has access to confidential client information on your network.  Use a strong password composed of at least 12 upper and lower case letters, numbers and symbols.  Be certain you’re not using default user IDs and passwords for any hardware or software. Use PINs for smartphones; and use WPA encryption – or better yet WPA2 encryption – for your wireless network.  Make sure your security software is frequently updated and your back-up media is encrypted.  And educate your employees to avoid clicking on phishing and spear phishing attachments and links in email.

When you’re away from the office, it might be tempting to review client files at hotel, airport and coffee shop hotspots.  But remember, nothing you view on public Wifi connections is private.  Hackers can set up fake Wifi hotspots called Evil Twins that look like the real thing.  And if you’ve enabled file sharing, your clients’ confidentiality is in even greater jeopardy.  When you need to access important information at a hotspot, always use VPN software like PRIVATE WiFi™.  Virtual private networks secure your clients’ sensitive information by making it invisible to hackers.