Hackers Single Out Law Firms AND Legal Depts.
We have long reported that hackers love to break into law firms. This is in part due to the fact that many law firms do not have good cybersecurity practices, especially small firms. The other part is that breaking into a law firm is like winning the lottery. Instead of getting one customer’s data, they get dozens to hundreds of firms’ data.
This week they went after a managed service provider, CTS, that provides IT services to law firms. Hack the MSP that the law firms use and you win the prize. Not only does it paralyze hundreds of law firms but it nets the hackers lots of data that they can sell or ransom.
In another attack, the LockBit group said that it hacked the law firm Allen & Overy. The firm said they were hacked, but didn’t not admit to ransomware.
At least one hacking group compromised law firms’ web sites, created fake content to have the site rise in search engine rankings and the dumped ransomware on the compromised site’s visitors.
When it is not law firms, it is people in the legal department that are targeted for the same reason.
Hackers have long favored law firms as a way to steal secrets, absconding with Uber drivers’ personal information from law firm Genova Burns LLC in January; hijacking data on the contracts and personal emails from 200 high-profile celebrities — including Lady Gaga, Madonna, and Rod Stewart — from New York law firm Grubman Shire Meiselas & Sacks in 2020; and allegedly leaking the “Panama Papers” — 11.5 million documents on wealthy tax evaders — from Panama-based law firm Mossack Fonseca.
The law firms themselves have not been terribly interesting, but … their clients are. But that is changing. The American Bar Association says that 27% of law firms suffered a security breach in 2022.
THAT IS JUST THE FIRMS THAT ADMITTED IT!
The GoatLoader malware attacks the legal beagles by search engine optimization poisoning. Seed malicious content and malvertising to terms attractive to law firms, lawyers and paralegals and boom, you are in.
In addition, the hackers are separating law firms from their money with business email compromise scams. For law firm clients, unless the firm files for bankruptcy and you have a retainer on deposit, that is mostly the firm’s problem.
The biggest problem for companies is the data that they have shared with the law firms and their own legal department.
We would recommend reviewing the contracts that you have with law firms. I remember one contract that basically said something to the effect that cybersecurity is hard, we try to protect your information, but we make no promises as to whether your information is secure. That is certainly honest, but I would not share any sensitive information with that firm.
One potential way around this that MAY work in SOME situations is using a data room that you control.
If this raises any concerns for you, please contact us for assistance. Credit: Data Reading