A 2020 survey by the American Bar Association found that 29% of the participating law offices encountered some form of a cybersecurity threat, while 21% could not completely determine whether a cyber attack had happened or not.
Examples of these cybersecurity breaches include data theft and website exploitation. Furthermore, the study found that there was a 3% increase in the number of law firms that experienced cybersecurity threats from 2019 to 2020.
At a time when the pandemic is causing an increase in online business transactions and remote work setups, this data should be a cause of concern not just for law offices but for their clients as well. The study reports an apparent sense of false security among many law offices considering that 70% of respondents believed that no loss or disruption to their business occurred. However, as the American Bar Association themselves note in the survey, “…it is only natural to wonder whether the seemingly positive trends reflect a troubling sense of comfort in the short term amid the prospect of a potentially longer-term harm.”
As Security Magazine noted in this 2017 article, “criminal data breaches will cost businesses a total of $8 trillion over the next 5 years, due to higher levels of Internet connectivity and inadequate enterprise wide security.” Similarly, a 2019 research by digital technology think tank Juniper Research predicted that the cost of business losses due to cybersecurity attacks will pass $5 trillion by 2024.
Why are Law Firms a Global Target for Cybercriminals?
Cybercriminals have a particular affinity for attacking law firms because of the latter’s possession of huge amounts of sensitive client and industry information. If they gain access to this information, they can use it to take corporations and clients hostage. They will then demand a ransom to be paid before allowing the victims to regain possession of their data. Or if they are able to hack into login credentials for banking and credit card details, they can outright steal money.
As will be shown later, cybercriminals are not shying away from Big Law firms. In recent years, there have been multiple cases of major legal firms in the US, UK, and Australia being attacked and invaded. With huge intelligence at their disposal including personally identifiable information (PII), financial information, and merger and acquisition (M&A) data, legal firms have become a favorite target for cyber crooks.
This inclination of cyber criminals to attack lawyers is strengthened by the fact that law firms generally have weaker cybersecurity systems compared to companies in other industries like tech. Even smaller-sized tech companies would have better cyber protection than big law firms. As reported by Attorney at Law Magazine, a lot of lawyers “are still reluctant to hire cybersecurity experts for their firms, either in-house or as consultants, usually because they are unaware to what extent these types of online threats can be damaging.”
In Australia, the weakness in a lot of law firms’ cybersecurity systems is reflected in a staggering statistic that indicates that a third of law firms in the country are not allocating funds to cybersecurity training. Research by GlobalX and the Australian Legal Practice Management Association (ALPMA) revealed a paradoxical situation in which 79% of lawyers are alarmed about cybersecurity, but only 21% trusted their firms to be able to survive a cyber attack. Despite an awareness of the seriousness with cyber security threats, 33% of Australian law firms seem to be caught up in a culture of complacency in the legal industry. As we will see later in case studies, the less proactive stance that law firms have shown when it comes to cybersecurity has resulted in massive damages to their businesses.
What Tactics Are Cybercriminals Using to Attack Law Firms?
In 2017, DLA Piper was attacked by a ransomware that debilitated thousands of its computers. The attack forced DLA Piper to close down its digital operations globally. The email and phone systems were disabled, forcing lawyers and other employees to do business using mobile phones. Needless to say, it was a very stressful affair for the company’s staff considering that a legal corporation depends highly on documents for its operations. American Lawyer makes a fitting observation of the adverse effect of the ransomware attack: “Consider litigators unable to access motions on a deadline. Trial lawyers preparing for arguments without key documents. Transactional lawyers unable to communicate with clients attempting to close multibillion-dollar deals.”
The United Kingdom became a breeding ground for phishing attacks against law firms following the 2020 lockdowns due to the COVID-19 pandemic. The Solicitors Regulation Authority has identified a 300% increase in phishing even in the first two months since lockdown was initiated. During the first six months of 2020, British law firms reported that cybercriminals stole nearly 2.5 million pounds from them, more than three times the amount reported in the first six months of 2019. One legal firm reported a phishing scam that victimized their senior partner. A phishing email containing malware was disguised as coming from a client. When the victim clicked the attachment, it instantly sent email messages to the senior partner’s contacts requesting them to click a link and provide requested information. This resulted in the law firm asking its bank to freeze its client account and sending an apology to the affected clients.
In October of 2020, immigration law firm Fragomen, Del Rey, Bernsen & Loewy experienced unauthorized data access to I-9 files which contained personal information of past and present Google employees. This law firm conducts verification screening for companies to ascertain if their employees have a healthy legal status to work in the United States. I-9 files carry a lot of confidential data including passport information, driving licenses, and ID cards making them a sweet pie for hackers and identity thieves.
Recent Examples of Attacks on Law Firms
In January of 2021, a vendor to Goodwin Procter in charge of big file transfers became a victim of hacking. This enabled cybercriminals to gain access to data that the vendor oversaw for the law corporation. Goodwin’s investigation concluded that: some of the law firm’s clients could have gained unauthorized access to sensitive material, only a small percentage of Goodwin employees were affected, and there was no proof to indicate that other assets and business operations were negatively impacted. However, as major intelligence company Law.com notes, “some believe the real dramas are happening in private.”
Allens, one of the biggest and most highly-regarded Australian law firms, was also a victim of a sophisticated cybersecurity breach last January 2021. The attack was reported to be initiated on a two-decades-old file transfer and storage system used by Accellion, a California-based cybersecurity firm that provides file transfer and storage service for large corporations including a lot of legal firms around the world. Accellion only updated its legacy product last year when it discovered a vulnerability in the system. In a rather tongue-in-cheek way, former Allens infrastructure manager Shawn Schmidt was quoted in Accellion’s website regarding the Australian legal firm’s choice of the cybersecurity company: “We could have easily allowed employees to use consumer-grade solutions such as Dropbox that, on the surface, would have gotten the job done. But we knew our firm and our clients needed something they could trust and rely on.”
Jones Day, the 10th biggest law firm in the United States and also a client of Accellion, reported last February 2021 that private data from their clients as well as company communication files were hacked also due to a vulnerability in Accellion’s two-decade-old File Transfer Appliance.
The 2020 cybersecurity survey by the American Bar Association reveals the extensive damage that law firms have experienced due to breaches. Thirty five percent of the participants in the study reported loss of chargeable hours to their clients; thirty nine percent had to spend consultation fees for repair; seventeen percent had to replace either their hardware or software; twenty three percent lost their network access; and ten percent lost access to their website.
Law firms need to take a more proactive stance if they are to be able to combat cybersecurity attacks. They should be in constant communication with their security provider in order to receive the latest patches and updates. Even cybersecurity companies can fall to complacency and so it is up to law firms to carefully choose their service providers.
Lawyers know, first and foremost, that keeping information confidentiality is a gold standard in their business. It is one of the foundations of their firm’s reputation. It is the basis for developing a relationship of trust with their clients. And it affords them protection against malpractice lawsuits. In the end, law firms should look to invest in cybersecurity products and services that are cutting-edge and have excellent reviews.