Bad torts: Law firms feel the heat from rising cyber threats

Tingey Injury Law Firm / Unsplash

The legal industry is increasingly under attack by ransomware criminals and other malicious groups, with a significant spate of costly incidents over the past several months alone. Experts say the sensitive data law firms hold and their lagging attention to cybersecurity make them prime targets.

Public reports of ransomware attacks on law firms have accelerated this year, with massive amounts of sensitive client data now in the hands of threat actors, highlighting a growing trend of cyber incidents afflicting the legal business. "2023 is just a banner year for law firm data breaches to the chagrin of the law firms," Sharon D. Nelson, Esq, president of digital forensics, cybersecurity and information technology firm Sensei Enterprises, told README.

Over the past few months alone, there has been a spurt of reports of attacks on law firms, including "big law" firms—the biggest, richest and most prestigious legal advisors operating across multiple offices nationwide and many countries globally. Although these big law firms have a diverse clientele, they are best known for representing the world's most powerful corporations and governments.

The following are some of the publicly known incidents affecting law firms that have occurred or been revealed since June:

  • On July 21, global law firm Orrick, Herrington & Sutcliffe reported that it experienced a data breach on March 13 involving more than 152,818 individuals, including customers of client Delta Dental of California, when an unauthorized party gained remote access to a file share that it used to store certain client files.
  • On July 6, the Law Foundation of Silicon Valley, which provides free legal services, began notifying regulators of a "sophisticated" February ransomware attack, for which the AlphV/Black Cat ransomware group later took credit, that exposed the social security numbers and other personal information for more than 42,000 of its clients.
  • In early July, three blue-chip big law firms, Kirkland & Ellis, Proskauer Rose and K&L Gates, were revealed to have suffered ransomware attacks by the Clop gang. The files stolen from these legal powerhouses appear on the Clop gang's leak site, which likely means none of the firms paid the ransom. The Clop gang lists over 100 tranches of files that encompass sensitive documents entrusted to the three firms, including what the group calls "secret information files," including a sample file containing a mutual confidentiality and non-disclosure agreement drafted for a client.
  • In June, big law firms Bryan Cave Leighton Paisner, Gibson, Dunn & Crutcher, and Loeb & Loeb reported data breaches to state regulators.

Cyberattacks on lawyers and law firms are not limited to the U.S. In late June, leading cybersecurity authorities in the U.K. and the U.S. issued reports on cyber threats to the legal sector. In the U.K., GCHQ's National Cyber Security Centre's (NCSC) report noted that cyberattacks on the legal industry are rising, primarily from four groups: cybercriminals with a financial motive; nation-states who seek to steal funds, cause disruption or steal intellectual property; politically motivated hacktivists; and insider threats. An NCSC spokesperson told README that nearly three-quarters of the U.K.'s top 100 law firms have been affected by cyberattacks.

France's ANSSI information security service noted that for-profit attacks are the biggest threat today observed for law firms, while the attack surface of law firms continues to expand due to the increasing digitization of the profession and legal proceedings. Citing a Reuters investigation, ANSSI also said mercenary hackers from India were drafted to help sway high-profile cases in the U.S.

Australia has been coping with the fallout on law firm HWL Ebsworth, which was hit in April by a ransomware attack by the Russian-linked ALPHV/BlackCat ransomware group, which has counted as clients at least 60 departments or government agencies that used the firm's services. On September 18, the country's national cybersecurity coordinator, Air Marshal Darren Goldie, revealed that sixty-five Australian government departments and agencies were victims of the attack.

Why law firms are prime targets

The sensitive information that law firms hold places them squarely on hackers' radar. "Law firms are a significant target for cybercriminals," The Law Society of England and Wales President Lubna Shuja told README. "They routinely handle large volumes of personal or commercially sensitive data, including financial data, in a very demanding, fast-moving environment," she said. "Criminal organizations may want to use information that relates to ongoing cases or corporate transactions. Legal practices also routinely handle significant sums of money involved in transactions in a number of sectors, making them an attractive potential target."

Brett Callow, threat analyst at Emsisoft, told README that while attacks on law firms have come to the fore in recent weeks, "this is in no way at all a new problem, and it has been going on for several years," with clients opting to settle rather than endure the bad publicity. "They aren't like everybody else in that they hold exceptionally sensitive information," Callow said. "And the fact that that information can be monetized in various ways makes them a very attractive target."

In addition to the prized nature of information that law firms hold, the legal profession's reliance on outside contractors makes them vulnerable to malicious actors. "Many legal practices, especially smaller firms, chambers, and individual practitioners, rely on an external I.T. services provider, making it challenging for them to assess for themselves whether the controls they have in place are appropriate to the risk they face," an NCSC spokesperson said.

Despite ANSSI's warning, experts say few attackers appear to seek an upper hand in litigation when they target law firms. "I think trying to get a hand in litigation is not at all common, but it has happened, and it's something that some lawyers at least need to be aware of," Lawrence Akka, KC, Chair of the Bar Council of England and Wales IT Panel, told README.

Hackers who want to gain an edge in litigation "absolutely exist," Sensei Enterprises' Nelson said. But, "that does not seem to be particularly the major goal of the people who are being attackers now. They want money, or they want data."

Law firms suing law firms

Despite being ripe for exploitation, law firms, especially small or medium-sized firms, are generally not considered to be on the cutting edge when it comes to implementing adequate cybersecurity protections. "One small law firm was breached because one of the lawyers was using 'BMWman' as his password for remote access," Callow told README. (An online password strength assessment tool operated by Bitwarden estimated that it would take at most 19 seconds to crack that password; similar tools said it could be cracked in as few as six seconds.)

John Simek, Vice President of Sensei Enterprises, told README, "Historically, law firms have been laggards in the technology curve. The sole exception would be the adoption of the iPhone. But other than that, their tendency has been not to be out in front. They're not implementers."

Aside from the reputational fallout when law firms get hit by cyberattacks, their behind-the-curve adoption of good cybersecurity practices leaves them open to their own lawsuits. In March 2023, the U.S. Securities and Exchange Commission sued Covington & Burling to obtain the names of 298 publicly traded clients affected by a 2020 cyberattack. A U.S. District Court judge on July 24 deemed the SEC's request "overly broad" but ordered the firm to turn over the names of seven clients whose data was compromised in the incident. Covington agreed to share the names of six of the seven clients who have consented to their disclosure to the SEC,

Class-action lawsuits are emerging over law firm data breaches. Class-action litigants have lodged complaints against Bryan Cave, Cadwalader, Wickersham & Taft, Smith, Gambrell & Russell and two smaller firms, Cohen Cleary and Spear Wilderman (with the suits against Cadwalader and Smith Gambrell later dropped.) All the complaints allege that the law firms didn't sufficiently guard against cyberattacks.

In August, a class action lawsuit was filed in California federal court against Orrick, Herrington & Sutcliffe, with the litigants claiming the firm did not inform the alleged victims of the data breach until June, more than three months after it occurred. Later in the month, Orrick got hit with a second lawsuit in California regarding the late notification, which also alleged that Orrick failed to create and implement reasonable data security practices.

Another concern for attorneys, according to Akka, "is the possibility of funding crime indirectly and possibly funding terrorism contrary to anti-terrorism and money laundering legislation. These funds are not going to clean places. So, there's the potential risk that you may find yourselves being prosecuted if you pay because you might be involving yourselves in criminal activity."

No guarantee data will be deleted after ransom payment

Experts agree that law firms must take the proper steps after a cybersecurity incident. "It's essential that legal professionals know how to react after a cyberattack to help protect their firm's systems from further damage or loss and clients' data from being compromised," Law Society's Shuja said.

As they suggest for any organization hit with a ransomware attack, experts say that law firms should not pay the ransom because there is no guarantee that the attackers will destroy the data, no matter what promises the attackers make. Emsisoft's Callow said, "There is no guarantee that the criminals will delete the data. There is no way of confirming that they have actually done so after they've been paid. And realistically, why would they delete data? It's especially valuable and can be further monetized for later days."

The threat actor "may just think, great, they paid," Bar Council's Akka said. "We'll just ask them for more. Your name may get out there as a target, so you'll just be hacked by someone else. And really, once it's gone, it's gone."

But Akka's main advice is to plan for these scenarios in advance. "Don't leave it until the aftermath," he said. His organization stresses training and more training, not only to help ward off cyber incidents but also to deal with the aftermath.

"You don't want to be calling a board meeting or a management committee meeting at 6 p.m. on a Friday evening just because you've suddenly discovered your files have been hacked," Akka said. "Figure it out in advance because the last thing you want to be doing when you get that blue screen on your computer saying all your files have been locked is asking, 'What do we do now'?"

Sensei's Nelson said, "The very first thing they have to do is make sure they have a very highly rated data breach attorney, someone who is accustomed to dealing with all of this because somebody needs to guide you through it, and it needs to be somebody who's on your side that there's privilege between you and that lawyer. You want somebody who has been around the block a few times and has been successfully involved in these cases to help guide the client because the tendency is to run around like headless chickens."

As is true for all organizations hit by a ransomware attack, law firms can significantly speed the process of remediation and recovery if they have insurance. "New research shows that fewer than one in three firms, or 28%, took out cyber insurance this year," Shuja said. "Given the concerning threats to cyber security and increased online working, we urge firms to give serious consideration to obtaining specific cyber liability insurance cover."

Yet again, like any other organization, law firms are reluctant to spend money on expenses, such as cyber insurance or improved cybersecurity, because these costs eat into the bottom line. But, as the recent attack spree illustrates, "it's not money down the drain," Akka said. "You don't want to be the firm that's well known for having lost all their client's details last year."