Joel Palmer

Hackers attack law firms for multiple reasons and from multiple sources

Last year, a single data breach left sensitive data from nearly 200 law firms exposed.

The breach was discovered and reported in April-May 2020 by TurgenSec, an information security firm. Its researchers “discovered a potentially sensitive open database accessible to anyone with a browser and internet connection.”

In other words, anybody with internet access looking in the right place – your neighbor’s teenage son, other law firms not affected by the breach, a cybercrime syndicate that sells sensitive information to the highest bidder – could have downloaded information on these firms’ cases, clients, and staff members.

“Due to the sensitive nature of the data, we judged there to be a high likelihood of harm to the individuals and organizations involved,” read the statement. The database was exposed “for an extended period.”

According to TurgenSec, the breach occurred at one of the largest software providers in the UK. Not at a law firm. Not at a two-person startup technology company. It happened at one of the largest software companies in that country.

Just another reminder that data breaches and lax cybersecurity can happen anywhere.

Every law firm, no matter what size or what area of law they practice, must have cyber liability coverage as part of their error and omissions insurance. In addition, your cyber protection should include both first-party and third-party cyber liability insurance.

First-party insurance covers losses that resulted from a hack on your firm’s network or systems. Third-party cyber liability insurance protects your business when an attack or breach occurs on a third party’s network or systems.

Law firms are increasingly the target of cybercriminals. Hackers are drawn to the information firms possess on their clients. Plus, law firms have a reputation for having lax cybersecurity.

Because of the lack of security, law firms are also a convenient way for hackers to break into the databases of their corporate or institutional clients. By hacking into just one law firm’s network, a cybercriminal can gain access to information on hundreds or even thousands of companies and individuals.

Cybercriminals are not unlike your run-of-the-mill burglar. If they can’t get through the front door, they’ll try the back door or a window. They’ll keep looking until they find a vulnerable entry point.

In the cyberworld, where everything is connected by a network of wires, servers, and clouds, a target’s most vulnerable entry point isn’t always its own network. It’s a third party, such as a vendor, customer or service provider.

There is no shortage of examples of third-party data breaches. One of the most publicized was the 2014 breach of retailer Target Corp. that occurred through the company’s HVAC vendor.

Last year, General Electric was impacted by a data breach of one of its third-party service providers, Canon Business Process Services. The breach occurred through unauthorized access to a Canon employee’s email account.

Also last year, more than 8 million sales records of Amazon, eBay, Shopify and online firms were exposed by a security vulnerability in a third-party app used by retailers in the European Union for calculating taxes.

Even Microsoft was a recent victim after hackers compromised one of the company’s corporate partners that handle cloud-access services.

A ransomware attack on an insurance company in March 2020 may have compromised information about current and former employees at the New York law firm Cadwalader, Wickersham & Taft.

Not only can law firms be the victims of a third-party attack, they are also frequently the vulnerable entry point to a bigger target. For example:

A small Kansas City law firm was recently sued for $1.5 million by one of its clients, an insurance company. The suit was brought after the law firm was hacked, enabling hackers to steal data about the insurance company and its clients.

In October 2020, the New York firm of Fragomen, Del Ray, Bernsen & Loewy LLP, reported that it had suffered a data breach that compromised personal information of employees at Google. The firm provides employment verification compliance services for the tech company.


Get A Quote

2097 Rate this article:

Theme picker