As Law Firms Fall to Cyber Attacks, is Your Data Safe?

Law firms, generally, have some of your most sensitive data.

On the other hand, many law firms do not have a great cybersecurity program.

As a couple of the mega law firms like Jones Day and Goodwin Procter have recently fallen to cyber attacks, now is a good time to review your law firm’s cybersecurity program.

Unless, of course, you are okay with your most sensitive data being posted, for free, on the dark web.

As some Jones Day clients are discovering this week.

The story as currently reported is that hackers stole data from Jones Day. It appears that this data may have been on an Accellion FTA file sharing system. Jones Day confirmed that the Accellion system is the source.

The CL0p hacking group attempted to extort these lawyers, but apparently, the lawyers ignored the hackers, which sort of annoyed them.

As a result, the hackers have posted several gigabytes of data for all to see. Just to up the pain and hopefully get money.

Jones Day was one of the firms that represented ex-president Trump in some of his failed attempts to overturn the 2020 election, but the hackers claim that this is not about this, but rather, merely business (AKA money).

The hackers are offering 20 caches of allegedly stolen Jones Day data ranging in size from 1.5 gigabytes to 4.5 gigabytes. If the data is purely text, 1 gigabyte represents somewhere around a half million pages. 20 caches x 4.5 gigabytes x 500,000 pages per gigabyte is a lot of pages.

To embarrass the law firm executives and get clients to pressure firms to pay up, the hackers are specifically targeting data from executives, theorizing that this is some of the most sensitive data.

The bottom line is that law firms seem to have a target painted on their backs and hackers seem to be going after them. If you are not asking your law firm how they are protecting your stuff, then you may be the next victim to find your sensitive legal documents available on the dark web.

We recommend not accepting platitudes like “we take security seriously” or “your privacy is our highest priority”.

One question to ask is WHO is liable if they are hacked. I have seen several law firm engagement letters that disavow any responsibility. Is that okay with you?

In light of recent events, now is a good time to agree your agreements with your law firms. If you need assistance, please contact us. Credit: Threatpost