Panama Papers Fallout: What If Your Lawyer Gets Hacked? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
09:06 AM
Lisa Morgan
Lisa Morgan
Connect Directly

Panama Papers Fallout: What If Your Lawyer Gets Hacked?

As the latest wave of high-profile breaches shows, all the sensitive information law firms handle makes them attractive cyberattack targets. Here's what can happen and what you should do about it.

Data Products: 9 Best Practices To Minimize Risk
Data Products: 9 Best Practices To Minimize Risk
(Click image for larger view and slideshow.)

Your company has likely spent a lot of time, effort, and money keeping its security systems, policies, and practices up to date. Can the same be said of your law firm?

The legal industry isn't exactly known for its technology leadership, which should be of concern, especially from a security perspective. Don't assume that your data is safe, in other words. Be prepared to do your own due diligence.

"Law firms retain a lot of sensitive corporate data that would be extremely valuable to hackers or outside parties. In particular, hackers are interested in corporate legal information, intellectual property from their clients, information on directors and officers of corporate clients, settlement terms, and more," said Jacob Olcott, the former legal adviser to the Senate Commerce Committee, counsel to the House of Representatives Homeland Security committee, and current VP at Bitsight Technologies, in an interview.

"Since law firms often deal with highly sensitive information, they are a clear target for hackers trying to earn money on the black market. In addition, hacktivists may be interested in the information held by a law firm for political purposes."

(Image: pixelcreatures via Pixabay)

(Image: pixelcreatures via Pixabay)

Recent high-profile breaches are an example. In March 2016, American Lawyer reported that two of America's most prestigious M&A law firms, Cravath, Swaine & Moore and Weil, Gotshal & Manges, had been hacked for insider trading purposes. Cravath was the only firm to comment publicly on the matter.

In April 2016, Panamanian firm Mossack Fonseca admitted it had been hacked. A hacktivist reportedly leaked 11.5 million documents, totaling 2.6 terabytes of data, to German newspaper Süddeutsche Zeitung. The trove is collectively called the Panama Papers. These documents reveal details about shell companies, their high-profile owners, and parties that helped them evade taxes and remain anonymous. However, as always, the stories making headlines are few and far between. No company, including a law firm, wants to advertise its vulnerability.

"Many top law firms have pretty good structural security. However, they drop the ball in two places: They use less sophisticated local counsel and give them sensitive documents, and they don't put sufficient checks on their people," said Jay Edelson, founder and CEO at law firm Edelson PC, in an interview.

The actual scope of attacks is difficult to gauge. For example, in its 2015 Annual Security Report, Cisco named the legal industry No. 7 in its list of top 10 company types at risk for Web malware infections. According to an American Bar Association (ABA) 2015 Legal Technology Survey Report, 15% of the 880 lawyer respondents said their firms had experienced a security breach, and 23% of them said they didn't know if they had. More than four in ten (42%) said their computers had been affected by a virus, while 23% said they didn't know. The larger the law firm, the greater the increase in breaches.

"Law firms represent a critical component of most companies' supply chain[s]," said BitSight's Olcott. "Most companies are focused on managing the cyber risk of their supply chain, and one of the first organizations they start with is their law firm."

Popular Attack Vectors

Social engineering and phishing top the list of popular attack vectors facing law firms, because they are effective and often not obvious until it's too late.

"All the technology in the world can't protect you from employees who click on things they shouldn't. And in their defense, attackers now do a lot more advanced reconnaissance. They write well-crafted emails that look legitimate and even reference current cases obtained from public record filings and [the] attorneys of record," said Sharon Nelson, an attorney and president of digital forensics, information technology, and information security company Sensei Enterprises.

[Big data is becoming a big crime-fighting tool. Read IBM Watson to Fight Cybercrime.]

According to the ABA Journal, most major law firms have been breached. When a breach occurs, it isn't discovered for eight or nine months. In some cases, firms remain unaware of a breach until the FBI brings it to their attention.

"The biggest threat currently appears to be financially motivated criminal hackers. Many recent attacks appear linked to Eastern European organized crime syndicates," said Jason Straight, an attorney, senior VP of cyber risk solutions, and chief privacy officer at legal and business services provider UnitedLex, in an interview. "Nation states [and] organized crime networks [are] looking to engage in insider trading, front-running, extortion, or blackmail. Business rivals [are] looking for competitive intel, [and] even activists with an ax to grind [are looking]."

Social engineering and phishing can be particularly problematic because employees may not be trained to recognize their characteristics.

"Because many federal and state courts are now working with electronic filing and other types of court records, it's especially important that lawyers not just open something appearing to be from a court without knowing it is definitely related to a matter and that they have validated the sender," said Ann Singer Keating, CEO of data security solution provider Reclamere.

Of course there are the usual vulnerabilities that generally plague businesses, such as failing to update and patch software, update antivirus software, do penetration tests and regular audits, train employees

Page 2: Steps you can take to protect yourself


Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll