Law-Firm-Data-Breach-Themis

Takeaways From Notable Law Firm Data Breaches

Law firms collect sensitive and privileged data, making them prime targets for cyberattacks. Unfortunately, some of these attacks succeed and the news of a law firm data breach becomes part of the public domain.

This is why law firms need a strong cybersecurity posture to defend against modern threats. This blog discusses specific threats, what happens when law firms get attacked, and what are some best cybersecurity practices.

Why is the Legal Sector Targeted?

The global market for legal services is expected to surpass one trillion dollars by 2025. Cybercriminals like industries where the impact on the reputation of the target is disproportionately high, as there’s more likelihood the victim will pay a ransom.

Aside from the fact that legal firms typically store details about trade secrets, intellectual property, mergers, and other lucrative information on their computer systems, threat actors perceive these organizations as unlikely to prioritize cybersecurity. A 2021 survey of law firms reinforced this perception when it found that just 36% of respondents had a formal incident response policy for cybersecurity events.

Looking at some of the most high-profile law firm data breaches underscores just how persistent cyber threats are to the legal industry.

Campbell Conroy & O’Neil

Campbell Conroy & O’Neil, a large law firm practicing across 11 different locations in the United States, clients included Ford, Honda, and Boeing. In February 2021, malicious actors infiltrated Campbell Conroy & O’Neil’s IT network and installed ransomware, which prevented access to important files.

A data privacy incident disclosure released by the firm indicated that sensitive information about individuals was compromised, including financial account information, Social Security numbers, passport numbers, and payment card information. The firm offered affected individuals 24 free months of credit monitoring, fraud consultation, and identity theft restoration services.

Grubman Shire Meiselas & Sacks

With a client portfolio that includes musicians such as Lady Gaga, Madonna, and Drake, Grubman Shire Meiselas & Sacks (GSMS) is another law firm that boasts a high profile reputation. The company, which serves media and entertainment clients, had 756 gigabytes of private documents and correspondence exfiltrated from its network in May 2020 during a ransomware attack.

The threat actors behind the attack on GSMS were part of the notorious REvil gang. Before their eventual arrest in 2022, REvil members racked up a considerable list of ransomware victims. REvil demanded a $42 million ransom from GSMS. After an initial $21 million demand went unmet, REvil members posted 2 gigabytes of stolen data about GSMS’ clients on the dark web to further incentivize payment.

Jones Day

First founded in Cleveland over hundred years ago, Jones Day is the fifth-largest law firm in the US and one of the top 15 highest-grossing in the world.

The Jones Day attack resulted from a software supply chain vulnerability in the Accellion file transfer system that impacted a total of 100 organizations. Supply chain attacks often have far-reaching, downstream consequences that impact hundreds of companies and potentially millions of people from a single vulnerability.

Common Attack Vectors Leading to Law Firm Data Breaches

While the cyberthreat landscape is ever-changing, there are some clear trends in the attacks that lead to big law firm data breaches. Here are some of the main methods, attack vectors, and tactics that hackers deploy to target businesses in the legal sector:

Ransomware

Ransomware attacks use encrypted systems and/or stolen, exfiltrated data as leverage to extort large payments from law firms. Industry sources indicate that smaller law firms are increasingly impacted by ransomware. The threat of ransomware is not going away despite several high-profile recent arrests targeting ransomware gangs.

Ransomware can bring significant costs to a law firm after a data breach, not just from the damage done to encrypted systems, but also from regulatory penalties due to inadequate protection of sensitive client data. In March 2022, UK criminal defense firm Tuckers Solicitors received a £98,000 fine in the wake of a ransomware attack that compromised sensitive criminal court information.

To address the risk of ransomware attacks, law firms should securely backup systems and data, deploy advanced endpoint and email security, monitor threats on a 24/7 basis, and implement multi-factor authentication.

Phishing

Phishing campaigns are becoming more common for law firms as hackers improve their skills in crafting convincing emails that persuade law firm employees or their clients to unknowingly take dangerous actions, such as clicking a malicious link, revealing private information, or installing malware. Phishing has morphed in recent years to not just target email but also smishing (text messages) and vishing (phone calls).

Threat actors often hit law firms with more targeted spear-phishing campaigns in which they either target or impersonate a very specific individual within that company. In one recent instance, a new Finance Manager at a law firm transferred £60,000 to an individual impersonating a trusted supplier.

Attacks Against Remote Workers

With hybrid work policies becoming a mainstay of how many law firms operate, many cyberattacks try to exploit potential security gaps in remote work technology. One example is trying to compromise or brute force entry into remote desktop protocol (RDP) connections from which law firm employees log in and work remotely.

A successful compromise of an RDP account can give threat actors the keys to a corporate network. Hackers can also try to get into a law firm’s network through VPN accounts, unsecured public Wi-Fi connections, and even through IoT devices.

Software Vulnerabilities

Cybercriminals will try to exploit security vulnerabilities in software used by law firms, such as general IT software or specialized legal software. Jones Day was a prime example of the impact of this type of attack. Australian firm Allens was another legal sector victim from the Accellion fallout.

Hackers can also exploit vulnerabilities in third party libraries and other components that provide functionality to applications. These so-called software supply chain attacks can simultaneously affect thousands of businesses. The recent Apache Log4j vulnerability was a software supply chain attack.

Cybersecurity Best Practices for Law Firms

Many law firms lack the IT resources to make security a priority and might feel intimidated by the prospect of strengthening their cybersecurity practices in light of today’s high-volume, sophisticated threat landscape. But becoming more secure doesn’t have to break the budget by hiring dozens of expert security specialists. Quite often, even the most high-profile breaches stem from entirely preventable security errors and could have been mitigated by following some basic best practices.

Here are some recommendations to improve your law firm’s cybersecurity and prevent your organization from being the next law firm data breach.

Draft a Security Policy

Even in 2022, 17% of respondents surveyed report their law firm does not have any security policies and another 8% do not know about their law firm’s security policies. This is a basic requirement that any legal firm should have in place regardless of its size. Draft a security policy that at a minimum covers BYOD, emails, data retention, and an incident response plan, if you were to be attacked.

Prioritize Patch Management

Incidents like the zero-day Accellion supply chain breach are difficult to do anything about because a zero-day software breach, by definition, hasn’t yet been patched with a security update. Still, patch management often is low on the priority list in terms of security prioritization – and this shouldn’t be the case. There are many vulnerability management solutions available to firms’ needing assistance in prioritizing.

The attack on GSMS highlighted pervasive patch management issues in the legal sector when a post-mortem of the incident revealed it all started with hackers exploiting unpatched Pulse Secure VPN servers. A patch for these servers was available for at least four months prior to the breach.

Protect your Endpoints

With cyberattacks often originating on endpoint devices, such as laptops and workstations, it’s imperative to step up endpoint security. Ideally, you should seek out a solution that effectively detects suspicious processes and behaviors on endpoints, such as using a comprehensive Endpoint Detection and Response (EDR) solution.

Secure Account Logins with Multifactor Authentication (MFA)

Passwords are no longer strong enough to secure access to employee accounts. New York City’s law department knows this all too well⁠—a 2021 incident saw hackers using an employee’s stolen password to infiltrate the department’s network. A recent Microsoft survey of their customers using Azure AD, showed 78% are still only using passwords without other strong identity authentication protections. It is critical to implement multifactor authentication (MFA) for access to key IT services, including Microsoft 365, remote desktop protocol, VPNs, cloud services, and even workstation logins.

Cloud Security

Law firms are increasingly using the cloud to store data and relying on cloud-based applications to operate their practices. Since cloud platform providers, like AWS, only take responsibility for securing their cloud platform, law firms must implement best practices for securing their data in the cloud by monitoring logs, scanning for vulnerabilities, and implementing other security controls to ensure unauthorized users cannot gain access to sensitive documents.

Identity Management

Law firms must prevent unauthorized access to sensitive data or core systems. Steps to reduce the risk of credential theft include using strong, unique passwords, multi-factor authentication, and fine-grained access controls that allow administrators to set employee permissions based on their roles and responsibilities. Monitor for high rates of authentication failures on service accounts for Windows. 

Continuous Monitoring for Compliance Issues

A host of diverse regulations aim to protect different types of sensitive data stored by law firms about their clients. For protected health information, there’s HIPAA, the CCPA protects data privacy for Californian residents, the GDPR protects data belonging to EU citizens and residents. Noncompliance with any regulation risks costly penalties, and it’s critical to meet all forms of regulatory oversight that apply to your firm.

Simple steps, such as continuous monitoring enables you to rapidly detect compliance risks before they become serious security issues and log analysis and reporting enables better visibility. If this is something your firm is unable to do in-house, there are options to outsource to cybersecurity specialists, such as a Managed Detection and Response provider.

Improve Incident Response

When a security threat is detected, law firms must respond quickly to reduce the risk of a security breach. However, many law firms do not have the resources to respond to high priority alerts on a 24/7 basis and sometimes internal processes can slow up response actions. By instantly blocking an attack or containing a threat, automated response solutions provide time for investigation and remediation before a law firm’s security is compromised.

A dedicated incident response plan is critical for any law firm that suffers a data breach, as it addresses what happens once hackers get past your perimeter security controls.

The incident response plan establishes processes for detecting, containing, investigating, and recovering from security incidents that have already infiltrated your environment. It’s highly recommended to include ransomware preparedness as part of this plan with a clearly defined set of steps to take if your firm’s network gets hit by a ransomware attack (ex. should you pay?).

Without any semblance of a plan in place, cybersecurity incidents easily lead to panicked decisions that make the problem worse. While incident response plans and functions can be challenging to put in place, the cost of a data breach at a law firm makes the effort worthwhile.

Closing Thoughts

Downtime, loss of billable hours, and reputational harm are outcomes that no company wants to face, but they are entirely within the realms of possibility from any law firm data breach. However, following some simple best practices will help your firm get on the right track. For those struggling to get the resources in-house, looking to partner with a security provider offers an affordable, scalable, and efficient way to address security gaps for law firms of all sizes.

To learn how Proficio to find out how we can help your law firm improve its cybersecurity defences, contact us.