A law firm can only be successful if it can meet the needs of its clients. Few things put that success at risk more than the rising dangers and repercussions of cyber attacks.
In addition to the time, effort, and money a firm must spend responding to a successful breach, employees may find themselves unable to access the firm’s technology and, therefore, unable to bill hours. It’s a crippling situation that can permanently damage a firm’s reputation.
And the risk of breach is rising for the legal industry. Today, law firms store and share vast amounts of private data, which makes them prime targets for cyber attacks. In addition, the legal industry must comply with a number of sweeping regulations – or risk facing harsh financial penalties – making cybersecurity an even greater challenge.
Yet the legal industry is lagging behind the rest of the business world in key ways that can have major negative impacts on their cybersecurity. Nearly one-third of firms have yet to adopt the cloud, and a full quarter of firms don’t do any form of cybersecurity awareness training.
As cyber attacks against the legal industry continue to climb, it’s never been more important for firms to elevate their cybersecurity posture with 24×7 real-time cybersecurity operations that can manage vulnerabilities, monitor and detect threats, and respond to malicious and risky activity in real time. Otherwise, firms leave themselves open to major compliance and cyber threat risks.
To showcase the rising danger and repercussions, we’ve compiled a list of the ten of the biggest cyber attacks and cyberthreats targeting law firms.
The Most Notable Law Firm Cyber Attacks
10. Grubman Shire Meiselas & Sacks
In May 2020, Grubman Shire Meiselas & Sacks, which offers legal services to the entertainment and media industries, acknowledged having experienced a ransomware attack from the infamous REvil group. To exert pressure, the hackers leaked information involving Lady Gaga, who was a client of the law firm. They also threatened to release information involving other celebrities.
After initially asking for $21 million dollars, the attackers quickly doubled their payment demand, asking for a ransom payment of $42 million to prevent the release of the documents to the public.
- Cyber attack type: Ransomware
- Location: Undisclosed
- Cost: Undisclosed
- Data Accessed: Undisclosed
As part of its response, the firm disclosed that it had hired “the world’s experts who specialize in this area, and [is] working around the clock to address these matters.”
According to news outlets, the criminals behind the attack reported having received $365,000 from the firm. They threatened to release additional data, much of which involves celebrities, if they didn’t receive payment in full. The firm, for their part, claims to have not paid a single cent, as per the FBI’s recommendation. Some of the data has been recovered through the use of third-party experts, but much of the information remains lost and potentially available for purchase on the dark web.
9. Proskauer Rose
In April of 2023, global firm Proskauer Rose revealed that a threat actor was able to access 184,000 files containing “private and privileged financial and legal documents, contracts, non-disclosure agreements, financial deals and files relating to high-profile acquisitions.” This information was stored by a third-party vendor on an unsecured Microsoft Azure cloud server and was publicly accessible by anyone with internet access and the knowledge of where to look. Even worse? This data was left exposed for six full months before the threat actor accessed it.
“Our IT security team immediately took steps to reconfigure the site and secure its data,” said a firm spokesperson following the breach. “This is an ongoing investigation, and we have been urgently working with in-house and third-party cybersecurity experts to confirm our current understanding of the facts.”
- Cyber attack type: Data breach
- Location: Undisclosed
- Cost: Undisclosed
- Data Accessed: 184,000+ files
This is the second high-profile breach to hit Proskauer Rose, with their first coming in at number seven on the list. This highlights both the need for a robust incident response plan that can help shore up your defense post-breach, and that many law firms aren’t putting the time, talent, and treasure into their cybersecurity that they should be.
8. HWL Ebsworth
In April of 2023, HWL Ebsworth — one of Australia’s largest law firms — suffered a ransomware attack by Russian-linked ransomware-as-a-service group ALPHV/Blackcat. The firm, who counts Australia’s largest bank, ANZ, as well as the federal government among their clients, did not initially disclose the breach. Disclosure came from ALPHV/Blackcat themselves, posting on a dark web forum that they had accessed over 4TB of data, including employee CVs, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map.
HWL Ebsworth, somewhat reluctantly it appears, released a statement acknowledging the breach and pledging to work with the Australian Cyber Security Centre to determine the extent of the breach as well as steps for recovery and remediation.
- Cyber attack type: Ransomware
- Location: Australia
- Cost: Undisclosed
- Data Accessed: 4TB+ of personal and organizational information
The firm’s been pretty silent on the attack since that initial statement. But it seems things aren’t exactly going great. In June of 2023, ALPHV/Blackcat “published 1.45 terabytes of data on the dark web that it allegedly stole from HWL Ebsworth in late April, with the message: ‘ENJOY!!!’”
7. Jenner & Block and Proskauer Rose
In 2017, international firm Jenner & Block admitted that, in response to a request that appeared legitimate, the firm had “mistakenly transmitted” employee W-2 forms to “an unauthorized recipient.” The phishing scheme resulted in the inadvertent sharing of personal information of 859 individuals, including their Social Security numbers and salaries.
Proskauer Rose, victims of attack number 9 on our list, experienced a similar attack in 2016, involving what appeared to be a routine request from a senior executive within the firm. In this case, the firm lost control of more than 1,500 W-2s.
- Cyber attack type: Phishing
- Location: Undisclosed
- Cost: Undisclosed
- People affected: 2,359
Jenner & Block reported the breach to the relevant authorities. It provided two years of access to Experian’s ProtectMyID Elite 3B product to employees whose information was released. It also established a hotline for former and current employees and held townhall meetings with employees to discuss the breach.
Proskauer Rose also notified authorities of the disclosure of its employees’ personal information. The firm provided two years of identity recovery services for all employees, regardless of their involvement in the breach.
6. GozNym Malware
In 2016, two undisclosed law firms experienced attacks involving malware known as GozNym, which criminals used to covertly steal banking login and password information.
To trick law firm personnel into providing their banking credentials, the criminals sent a phishing email that directed the recipient to web pages designed to look like their bank’s website. The scheme used keystroke logging, which recorded the keys entered when victims visited the fake bank site. It then sent that information surreptitiously to the cybercriminals.
Once the criminals gained access to the law firm’s bank accounts, they transferred funds to other U.S. and foreign bank accounts they controlled. One law firm experienced a loss of more than $76,000, while the other firm lost $41,000.
- Cyber attack type: Phishing and malware
- Location: Washington D.C. and Wellesley, Massachusetts
- Cost: $117,000
- People and companies affected: Undisclosed
GozNym infected thousands of devices, with the potential to cause more than $100 million in losses. Thankfully, the group was dismantled as part of an international law enforcement operation before more damage could be done.
5. Moses Afonso Ryan Ltd.
The law firm Moses Afonso Ryan Ltd. had its critical files locked down for three months due to a ransomware attack in 2016. Specifically, the firm’s billing system and documents were frozen, so they could not be paid by clients and key financial information could not be accessed.
After the system was disabled, the law firm was forced to negotiate a ransom, which was paid in Bitcoin. In total, nearly $700,000 was lost in client billings, as well as the undisclosed ransom cost.
- Cyber attack type: Ransomware
- Location: Providence, Rhode Island
- Cost: At least $700,000
- People and companies affected: Unknown
Moses Afonso Ryan Ltd. was first required to pay Bitcoin upfront to the hackers, then negotiate additional Bitcoin releases later. This unfortunate predicament left the firm floundering and its employees unproductive for several months
4. Cravath Swaine & Moore and Weil Gotshal & Manges
Three Chinese nationals targeted the law firms of Cravath Swaine & Moore and Weil Gotshal & Manges to engage in insider trading and gather confidential information regarding pending mergers and acquisitions.
According to the U.S. government, Iat Hong, Bo Zheng, and Chin Hung earned over $4 million in profits while trading on information they stole from the law firms. To gather such information, the perpetrators used their unauthorized access to read emails belonging to partners at both firms about pending transactions involving public companies.
The indictment notes the defendants targeted five additional law firms, launching at least 100,000 attacks on those firms.
- Cyber attack type: Malware and other undisclosed methods
- Location: New York
- Cost: $4+ million
For trading on insider information, the U.S. Securities and Exchange Commission fined the perpetrators $8.8 million, more than double what they “earned.”
3. DLA Piper
In June 2017, DLA Piper suffered a ransomware attack that first struck its Ukrainian offices during an upgrade of its payroll software. The attack involved malware known as NotPetya. The firm cited its “flat network structure” as a reason the infection spread so quickly.
As a result of the attack, DLA Piper employees around the world could not use the firm’s telephones or email system, and some struggled to access certain documents. However, the firm states that it did not lose any data and its backups remained intact.
- Cyber attack type: Ransomware
- Location: Ukraine, then global
- Cost: Millions of dollars in billable hours and restoration time
In response to the attack, the firm’s IT department worked 15,000 hours of paid overtime. Given the depth and severity of the attack, the firm had to wipe and rebuild its Windows environment.
2. Appleby
In 2016, Appleby, an offshore law firm located in Bermuda, experienced a cyber attack. News of the attack surfaced in 2017, when the hack attracted interest from the ICIJ.
Known as the Paradise Papers, the law firm’s breached records included 13.4 million files. According to The Guardian, a total of 96 media companies and 381 journalists reviewed the documents.
The same journalists from Süddeutsche Zeitung who received the Panama Papers (see our top attack) also obtained the documents in the Paradise Papers. Appleby denied the involvement of an insider, instead claiming that hackers had taken the documents.
- Cyber attack type: Hack or insider attack
- Location: Bermuda
- Cost: Undisclosed
- People and companies affected: 120,000+
In response to the breach, Appleby engaged in legal action against The Guardian and the BBC, seeking compensation for the disclosure of its legal documents. It subsequently settled the dispute by entering into a confidential agreement with both media companies.
The ICIJ reports that the Paradise Papers resulted in the recovery of unpaid taxes and assessment of penalties. The ICIJ also reported an increased awareness of the need for vigilance and more robust security to prevent future breaches.
1. Mossack Fonseca
In April 2016, journalists from German newspaper Süddeutsche Zeitung, Bastian Obermayer and Frederik Obermaier, received approximately 11.5 million documents belonging to the Panamanian law firm Mossack Fonseca.
The journalists subsequently contacted the International Consortium of Investigative Journalists (ICIJ). The ICIJ put together a team of 107 media organizations located in 76 countries to review the documents, later known as the Panama Papers. Among other forms of questionable activity, the documents detailed the widespread use of shell companies and complex transactions as means of committing tax fraud.
While some claim that the 11.5 million records that ended up in the hands of the world press came from a leak from an anonymous insider, Mossack Fonseca claims that the firm experienced a hack.
- Cyber attack type: Hack or insider attack
- Location: Panama City, Panama
- Cost: The firm closed its doors in March 2018
- People affected: 300,000+
In the aftermath of the Panama Papers, several individuals mentioned in the documents resigned, including Iceland’s then prime minister, Sigmundur David Gunnlaugsson.
Governments around the world used the documents to recover more than $1.2 billion. As a direct result of the adverse publicity associated with the Panama Papers, Mossack Fonseca closed its doors in March 2018.
Learn how Law Firms Can Fight Back Against Cyber Attacks.
And gain insight into Modern Security Challenges for Law Firms.
