Hackers lead law firms to focus on cybersecurity
In the wake of reports that hackers have tried to infiltrate the IT systems of nearly 500 of the United Kingdom’s law firms and further reports that two U. S. law firms have been breached, lawyers everywhere are focusing on cybersecurity more intensely than ever.
The Solicitors Regulation Authority, which regulates solicitors in England and Wales, recently said that some $11.5 million of clients’ money has been lost to cyberattacks on law firms.
Imran Ahmad, a lawyer with Miller Thomson LLP in Toronto, is not surprised by these revelations. “Law firms are fertile ground for hackers because they have precious financial information, like transactional information, client information, and human resource records, that allows hackers to build online profiles of individuals,” he said.
Stolen credit card information is useful only until the cardholder or the bank notices the fraud and cancels the existing card. But unauthorized access to an individual’s complete online profile enables more sophisticated identity theft and is much harder to remedy.
“Hackers sell credit card information on the darknet for $ 2 to $ 4 a pop,” Ahmad said. “A full profile could bring 10 times as much.”
Canadian law firms have hardly been immune from cyberattacks. The most highprofile attack in Canada started in September 2010 when hackers compromised the security of seven major Canadian firms — Blake, Cassels & Graydon LLP and Stikeman Elliott LLP among them — involved in BHP Billiton’s proposed takeover of Potash Corp. of Saskatchewan. Both Blakes, counsel to BHP, and Stikeman Elliott, counsel to Potash, say that no client information was compromised.
An investigation revealed that the spyware responsible had been formulated on a Chinese- language keyboard and could be traced to servers in China linked to stateowned enterprises.
It was no secret that the Chinese government, worried about a global potash monopoly, opposed the deal. As the Chinese have long been accused of resorting to cyberespionage for various political and commercial purposes, the evidence implicating China was telling.
It subsequently emerged that an unrelated attack had targeted another major M&A, while a third was aimed at high-profile litigation.
“For someone who wants easy access to competitive intelligence, law firms are the lowest hanging fruit,” said Domenic Jaar, KPMG’s Montreal- based national practice leader, forensic technology services.
But it’s not just law firms doing sensitive M& A deals that are being targeted. Several years ago, fraudsters embedded the “Trojan bank virus” in a computer used by the bookkeeper in a small, Toronto- area law firm. The virus emulated a bank’s website: when the bookkeeper typed in the firm’s trust account password, it sent the password to the hackers. It then became a simple matter to access the account and transfer out what has been reported as a “six-figure sum.”
So what are Canada’s law firms doing to shore up their security? Both firms and outside experts agree that awareness is increasing, often as a result of pressure from clients.
“Banks, for example, are ensuring that the law firms who act for them have a stringent cybersecurity protocol and insisting that they have adequate training and insurance,” Ahmad said. “And many law firms are introducing policies relating to M&A cybersecurity due diligence programs.”
Following the Potash incident, Toronto-based Goodmans LLP (which was not a target in the M& A- related cyber attack) introduced application white- listing technology developed by Massachusetts-based Bit9 Inc. The software allows only trusted programs to run on a law firm’s system.
By contrast, Torys LLP simply l ocked down end user privileges on the firm’s desktops, which prevented end users from installing unauthorized applications without authorization.
According to Ahmad, 2017 will be a watershed year for cybersecurity because impending changes to Canada’s privacy legislation will require custodians of data, including law firms, to report information security breaches that pose a “real risk of significant harm.”
“About 47 U. S. states already have that requirement,” Ahmad said.
The new reporting requirement may well reveal that cybersecurity is a much bigger issue than the profession cares to admit. Because losing confidential information is high on the list of factors that can undermine a firm’s reputation, law firms have not been prone to acknowledge publicly that they’ve been the target of attacks, especially successful ones.
Several years ago, a survey revealed that almost one in five law firms in the U.K. had suffered a cyberattack in the preceding 12 months.
Chief information officers at some of the country’s largest law firms later told media “the threat and frequency of cyber attacks is likely to be much higher than the perceptions of those surveyed.”
HACKERS SELL CREDIT CARD INFORMATION ON THE DARKNET FOR $2 TO $4 A POP.