Last month, a trio of Chinese traders were charged with hacking into the computer networks at two prominent law firms and using information about the firms’ clients to earn more than $4 million in illegal profits through insider trading.
It’s an attack that should force in-house counsel to reflect on their outside law firms’ data security efforts. The hackers stole highly sensitive information about the merger and acquisition plans of at least five companies. The case also “should serve as a wake-up call for law firms around the world: You are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” U.S. Attorney Preet Bharara of the Southern District of New York told The Wall Street Journal.
Bharara’s office is prosecuting the hackers and in its indictments detailed the information collected. The hackers gathered material on the lawyers involved and on the partner in charge of a particular deal. They then breached firm servers using the login credentials of firm employees. Though the indictments do not say how the credentials were obtained, security experts have said they believe employees were the subject of “phishing” attacks – where a person is tricked into downloading malware or revealing their login credentials. Another potential source for credentials: The dark web, where hacked user data from companies like Yahoo is for sale. Since many people use the same passwords across various accounts, hackers have purchased the information and applied it to a number of sites.
Once inside the network, the hackers were able to gain access to emails among senior partners and to and from clients.
The indictments didn’t name the firms that had been breached, but The Wall Street Journal reported that the details match those around hacking incidents that had been revealed at Cravath, Swaine & Moore and Weil, Gotshal & Manges.
But Cravath and Weil weren’t alone. According to a news release from the Southern District, in addition to hacking and trading on information from the two unnamed firms, the defendants “repeatedly attempted to cause unauthorized access to the networks and servers of five other victim law firms using means and methods similar to those used to successfully access the infiltrated law firms. For example, between March and September 2015, the Defendants attempted to cause unauthorized access to the networks and servers of these law firms on more than 100,000 occasions.”
The New York Department of Financial Services’ proposed security regulations – which will take effect in March – have been updated to require that third-party vendors (including law firms) working for banks and other financial institutions ensure that they can handle cyber threats.
But if history is any guide, law firms won’t truly reform their data risk efforts until their clients force them to do so. In-house counsel who may not be educated on cyber-attack issues, should turn to their chief technology and chief information officers for assistance. And even if they are not cyber experts, in-house lawyers can ask a few basic questions when engaging firms, according to cybersecurity experts.
Among those questions: Has your firm been the subject of a material breach? Would you provide detailed information about the systems you have in place to prevent an attack? Do you have cybersecurity insurance? If so, how much and what does it cover? Are your employees trained and certified in cyber-attack prevention techniques
The goal, data security professionals, is not to stop all attacks. That would be impossible. But firms can limit the damage to themselves and their clients. As Joseph Abrenio, vice president of commercial services at Delta Risk and president of the Midwest Cyber Security Alliance, recently told The American Lawyer: “A law firm is not going to keep an advanced attacker from getting in the network. Therefore, the goal should be to limit what an attacker can do once they get inside the network.”
David L. Brown is chief content officer at In The House.