720-891-1663

Breach, Compliance, Hacks, Security Practices

Another Law Firm Gets Security Religion – AFTER Hackers Stole 325,000 Customer’s Data

Leave a comment

The Houser LLP law firm specializes in taking care of high-profile financial institutions. Last May they were hacked. Ten months later they are finally notifying those high profile customers.

They eventually were forced to disclose the breach to the Maine AG (among others). They said files were encrypted (AKA ransomware) and data was stolen. Data stolen includes names, socials, licenses, tax numbers, account numbers and medical information.

They hired an unnamed firm to investigate and, they said, the hackers were inside their network from May 7 to May 9. It does not take long to steal data for 325,000 people.

The regulatory filing said that they contacted the hackers (likely, but unsaid, to pay the ransom). In June the hackers said that they deleted the data (maybe the ransom was paid) and they would not sell the data.

Seven months later the outside firm completed their investigation.

Among their customers are Citibank, Deutsche Bank and HSBC. The firm serves clients in every major financial center.

The good news, if there is any, is that after the barn caught fire and the horses all died, they decided that they should improve security. So, what did they do?

Among other things, the items that they tout in a letter to customers include:

  • They installed RocketCyber. RocketCyber is a security event monitoring tool usually provided by managed service providers to their customers. It is adequate for small companies, but probably, for companies that include Citibank in their customer list, something more sophisticated might be in order.
  • They implemented multi-factor authentication. A bit late. Assuming they didn’t have it before, they were not compliant with any number of regulations.
  • They added ransomware detection software. I assume this means endpoint detection and response – what used to be called anti-virus software. Did they really not have this before?
  • Finally, they added phishing training. Again, required.

While I am beating them up – with some justification – the point is that here is a money center law firm, with big, name-brand customers, and their security is, to be kind, a bit lacking.

Do you think that the law firms that you share your data, your employee’s data and your customer’s data with do a better job? They might. Do you know? Did you ask?

If this makes you a bit nervous and you are not sure what to do, please contact us.

Credit: The Record

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2024 CyberCecurity, All rights reserved. Privacy Policy