A law firm can only be successful if it can meet the needs of its clients, and few components put that success at risk more than the rising danger and repercussions of a cyber attack.
In addition to the time, effort, and money a firm must spend responding to a successful breach, employees may find themselves unable to access the firm’s technology and, therefore, unable to bill hours. It’s a crippling situation that can permanently damage a firm’s reputation, as well as the personally identifying information (PII) and other sensitive information it may be responsible for.
And the risk of breach is rising for the legal industry. According to a recent survey by Arctic Wolf and Above the Law, 39% of respondents reported that their firm has had a security breach that they were aware of in the last year. Additionally, among the survey respondents who experienced a security breach, 56% lost confidential client data — among the worst things that can happen to a law firm. There’s little doubt that cyber threats are increasing for this industry.
Why Law Firms are at Risk of a Cyber Attack
Law firms find themselves in the crosshairs of threat actors for a multitude of reasons including:
- An evolving digital landscape that sees firms relying more on web-based applications and the cloud
- A lack of incident response (IR) preparation among firms
- Firms’ storage of confidential data about themselves and their clients
- A lack of personnel dedicated to cybersecurity
- Emerging threats that are targeting all industries, including firms
- Vast compliance standards that can be difficult to implement and maintain
The data highlights these issues as well, illustrating just how difficult it can be for firms to harden their security posture amidst rising threats.
- Only 26% of law firms believe their firm is “very prepared” to respond to cyber incidents
- 60% of firms identified the sophistication level of threats and attacks as the biggest challenge they face in reducing cyber risk
- The average ransom for legal organisations was $1 million USD in 2023
Aird & Berlis, a leading Canadian law firm, works with Arctic Wolf to harden their security posture and protect their valuable data. When asked about the threats facing law firms, the firm stated, “ The ultimate challenge is maintaining an agile defense against evolving cybersecurity threats, while adhering to our clients’ rigorous compliance standards.”
It’s a constant battle for law firms and they’re fighting it on multiple fronts, from dealing with sophisticated threats to trying to meet rapidly changing compliance and client-mandated requirements to finding the staff and resources to further their security journey.
To showcase the rising danger and repercussions, we’ve compiled a list of some of the biggest cyber attacks that have struck law firms. This list is not comprehensive, and in some cases, limited information is available. Because law firms are not required to disclose the details of breaches, nor if they paid ransom in the case of a ransomware attack, there may have been costly, damaging breaches that are not public knowledge.
The Most Notable Law Firm Cyber Attacks
11. Orrick, Herrington & Sutcliffe
Attack type: Unknown, data exfiltration
Location: San Francisco
Cost: Undisclosed
Data accessed: PII and health data of more than 637,000 previous breach victims
In what turned out to be a sophisticated and smart attack, threat actors went after a firm that works with data breach victims in March of 2023.
The San Francisco-based firm, Orrick, Herrington & Sutcliffe represents and works with organisations who are hit by security incidents, which means they had on file a treasure trove of data, including credit card information, login credentials, and more.
The hack resulted in multiple class-action lawsuits.
10. Grubman Shire Meiselas & Sacks
Attack type: Ransomware
Location: Undisclosed
Cost: Undisclosed
Data accessed: Undisclosed
In May 2020, Grubman Shire Meiselas & Sacks, which offers legal services to the entertainment and media industries, experienced a ransomware attack from the infamous REvil group. To exert pressure, the hackers leaked information involving Lady Gaga, who was a client of the law firm. They also threatened to release information involving other celebrities.
After initially asking for $21 million USD, the attackers quickly doubled their payment demand, asking for a ransom payment of $42 million to prevent the release of the documents to the public.
As part of its response, the firm disclosed that it had hired “the world’s experts who specialise in this area and [is] working around the clock to address these matters.”
According to news outlets, the criminals behind the attack reportedly received $365,000 USD from the firm. They threatened to release additional data, much of which involved celebrities, if they didn’t receive payment in full. The firm, for their part, claims to have not paid a single cent.
9. Proskauer Rose
Attack type: Data breach
Location: Undisclosed
Cost: Undisclosed
Data accessed: 184,000+ files
In April of 2023, global firm Proskauer Rose revealed that a threat actor was able to access 184,000 files containing “private and privileged financial and legal documents, contracts, non-disclosure agreements, financial deals and files relating to high-profile acquisitions.” This information was stored by a third-party vendor on an unsecured Microsoft Azure cloud server and was publicly accessible by anyone with internet access and knowledge of where to look. Even worse, this data was left exposed for six full months before the threat actor accessed it.
“Our IT security team immediately took steps to reconfigure the site and secure its data,” said a firm spokesperson following the breach. “This is an ongoing investigation, and we have been urgently working with in-house and third-party cybersecurity experts to confirm our current understanding of the facts.”
This is the second high-profile breach to hit Proskauer Rose, with their first coming lower down on the list. This highlights both the need for robust IR that can help shore up your defense post-breach, and that many law firms aren’t putting the time, talent, and treasure into their cybersecurity that they should be.
Learn how your firm can better secure your cloud environment.
8. HWL Ebsworth
Attack type: Ransomware
Location: Australia
Cost: Undisclosed
Data accessed: 4TB+ of personal and organisational information totaling 2.2 million files
In April of 2023, HWL Ebsworth — one of Australia’s largest law firms — suffered a ransomware attack by notorious ransomware-as-a-service (RaaS) group ALPHV/Blackcat. The firm, who counts Australia’s largest bank, ANZ, as well as the federal government, among their clients, did not initially disclose the breach initially. Disclosure came from ALPHV/Blackcat themselves, posting on a dark web forum that they had accessed over 4TB of data, including employee resumes, IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map.
HWL Ebsworth released a statement acknowledging the breach and pledged to work with the Australian Cyber Security Centre to determine the extent of the breach as well as steps for recovery and remediation.
The firm has been silent on the attack since that initial statement. In June of 2023, ALPHV/Blackcat “published 1.45 terabytes of data on the dark web that it allegedly stole from HWL Ebsworth in late April, with the message: ‘ENJOY!!!’”
In response, NSW Supreme Court issued an injunction banning individuals from accessing the stolen files.
7. Jenner & Block and Proskauer Rose
Attack type: Phishing
Location: Undisclosed
Cost: Undisclosed
People affected: 2,359
In 2017, international firm Jenner & Block admitted that, in response to a request that appeared legitimate, the firm had “mistakenly transmitted” employee W-2 forms to “an unauthorised recipient.” The phishing scheme resulted in the inadvertent sharing of personal information of 859 individuals, including their Social Security numbers and salaries.
Proskauer Rose, also victims of attack number nine on our list, experienced a similar attack in 2016, involving what appeared to be a routine request from a senior executive within the firm. In this case, the firm lost control of more than 1,500 W-2s.
Jenner & Block reported the breach to the relevant authorities. It provided two years of access to Experian’s ProtectMyID Elite 3B product to employees whose information was released. It also established a hotline for former and current employees and held townhall meetings with employees to discuss the breach.
Proskauer Rose notified authorities of the disclosure of its employees’ personal information. The firm also provided two years of identity recovery services for all employees, regardless of their involvement in the breach.
6. GozNym Malware
Attack type: Phishing and malware
Location: Washington D.C. and Wellesley, Massachusetts
Cost: $117,000
People and companies affected: Undisclosed
In 2016, two undisclosed law firms experienced attacks involving malware known as GozNym, which criminals used to covertly steal banking login and password information from their systems.
To trick law firm personnel into providing their banking credentials, the criminals sent a phishing email that directed the recipient to web pages designed to look like their bank’s website. The scheme used keystroke logging, which recorded the keys entered when victims visited the fake bank site. It then sent that information surreptitiously to the cybercriminals.
Once the criminals gained access to the law firm’s bank accounts, they transferred funds to other U.S. and foreign bank accounts they controlled. One law firm experienced a loss of more than $76,000 USD, while the other firm lost $41,000 USD.
GozNym infected thousands of devices, with the potential to cause more than $100 million in losses. Thankfully, the group was dismantled as part of an international law enforcement operation before more damage could be done.
5. Moses Afonso Ryan Ltd.
Attack type: Ransomware
Location: Providence, Rhode Island
Cost: At least $700,000 USD
People and companies affected: Unknown
The law firm Moses Afonso Ryan Ltd. had its critical files locked down for three months due to a ransomware attack in 2016. Specifically, the firm’s billing system and documents were frozen, so they could not receive payments from clients and key financial information could not be accessed.
After the system was disabled, the law firm was forced to negotiate a ransom, which was paid in Bitcoin. In total, nearly $700,000 USD was lost in client billings, as well as the undisclosed ransom cost.
Moses Afonso Ryan Ltd. was first required to pay Bitcoin upfront to the hackers, then negotiate additional Bitcoin releases later. This unfortunate predicament left the firm floundering and its employees unproductive for several months.
4. Cravath Swaine & Moore and Weil Gotshal & Manges
Attack type: Malware and other undisclosed methods
Location: New York
Cost: $4+ million USD
Three Chinese nationals targeted the law firms of Cravath Swaine & Moore and Weil Gotshal & Manges to engage in insider trading and gather confidential information regarding pending mergers and acquisitions.
According to the U.S. government, Iat Hong, Bo Zheng, and Chin Hung earned over $4 million USD in profits while trading on information they stole from the law firms. To gather such information, the perpetrators used their unauthorised access to read emails belonging to partners at both firms about pending transactions involving public companies.
The indictment notes the defendants targeted five additional law firms, launching at least 100,000 attacks on those firms.
For trading on insider information, the U.S. Securities and Exchange Commission (SEC) fined the perpetrators $8.8 million USD, more than double what they “earned.”
3. DLA Piper
Attack type: Ransomware
Location: Ukraine, then global
Cost: Millions of dollars in billable hours and restoration time
In June 2017, DLA Piper suffered a ransomware attack that first struck its Ukrainian offices during an upgrade of its payroll software. The attack involved the now-famous malware known as NotPetya. The firm cited its “flat network structure” as a reason the infection spread so quickly.
Due to the attack, DLA Piper employees worldwide could not use the firm’s telephones or email system, and some struggled to access certain documents. However, the firm states that it did not lose any data and its backups remained intact.
In response to the attack, the firm’s IT department worked 15,000 hours of paid overtime. Given the depth and severity of the attack, the firm had to wipe and rebuild its entire Windows environment.
NotPetya is part of the Petya malware family, which looks like ransomware but operates as a wiper. NotPetya attacks have been blamed on the Russian government.
2. Appleby
Attack type: Hack or insider attack
Location: Bermuda
Cost: Undisclosed
People and companies affected: 120,000+
In 2016, Appleby, an offshore law firm located in Bermuda, experienced a cyber attack. News of the attack surfaced in 2017, when the hack attracted interest from the International Consortium of Investigative Journalists (ICIJ).
Known as the Paradise Papers, the law firm’s breached records included 13.4 million files. According to The Guardian, a total of 96 media companies and 381 journalists reviewed the documents.
The same journalists from Süddeutsche Zeitung who received the Panama Papers (see our top attack) also obtained the documents in the Paradise Papers. Appleby denied the involvement of an insider, instead claiming that hackers had taken the documents.
In response to the breach, Appleby engaged in legal action against The Guardian and the BBC, seeking compensation for the disclosure of its legal documents. It subsequently settled the dispute by entering into a confidential agreement with both media companies.
The ICIJ reports that the Paradise Papers resulted in the recovery of unpaid taxes and assessment of penalties. The ICIJ also reported an increased awareness of the need for vigilance and more robust security to prevent future breaches.
1. Mossack Fonseca
Attack type: Hack or insider attack
Location: Panama City, Panama
Cost: The firm closed its doors in March 2018
People affected: 300,000+
In April 2016, journalists from German newspaper Süddeutsche Zeitung, Bastian Obermayer and Frederik Obermaier received approximately 11.5 million documents belonging to the Panamanian law firm Mossack Fonseca.
The journalists subsequently contacted the ICIJ. The ICIJ put together a team of 107 media organisations located in 76 countries to review the documents, later known as the Panama Papers. Among other forms of questionable activity, the documents detailed the widespread use of shell companies and complex transactions as means of committing tax fraud.
While some claim that the 11.5 million records that ended up in the hands of the world press came from a leak by an anonymous insider, Mossack Fonseca claims that the firm experienced a hack.
In the aftermath of the Panama Papers, several individuals mentioned in the documents resigned, including Iceland’s then prime minister, Sigmundur David Gunnlaugsson.
Governments around the world used the documents to recover more than $1.2 billion USD. As a direct result of the adverse publicity associated with the Panama Papers, Mossack Fonseca closed its doors in March 2018.
Watch our webinar to learn how law firms can fight back against cyber attacks.
See how Arctic Wolf keeps leading law firms safe from attacks while helping them secure their valuable data.
