When a law firm experiences a breach, there’s a lot at stake. In addition to the time, effort and expense the firm must spend responding to a cyber attack, employees may find themselves unable to access the firm’s technology and, therefore, unable to invoice hours.

To sum it up, a firm’s reputation suffers when it can’t meet the needs of its clients, which in turn, could lead to a loss of market share.

Meanwhile, the risk of being breached is significant. In its 2019 Legal Technology Survey Report, the American Bar Association noted that 26% of the firms surveyed reported having experienced a security breach. Cybersecurity incidents included hacks, website attacks and the loss of devices such as laptops.

To showcase the rising danger and repercussions, we’ve compiled a list of the eight most notable cyberattacks and cyberthreats targeting law firms.

The Most Damaging Legal Industry Cyberattacks

8. Oleras

In 2016, a cybercriminal using the alias Oleras allegedly targeted 50 law firms to steal confidential information to facilitate insider trading. The hacker attempted to hire accomplices via the criminal underground to help breach the law firms’ defences and then use keywords to search for pending deals

To entice others to join, Oleras advertised a plan that detailed the names, email addresses and social media accounts of the law firm employees to be targeted.

One of the phishing emails associated with the scheme appeared to originate from a business journal asking to run a profile of the recipient about their work in mergers and acquisitions.

• Cyberattack type: Phishing
• Location: United States
• Cost: Undisclosed

Once made aware of the threat, the FBI initiated an investigation and issued an industry alert. To date, none of the law firms targeted by Oleras have disclosed a breach in their firm’s defences.

7. Jenner & Block and Proskauer Rose

Jenner & Block admitted that, in response to a request that appeared legitimate, the firm had ‘mistakenly transmitted’ employee W-2 forms to ‘an unauthorised recipient’ in 2017. The phishing scheme resulted in the inadvertent sharing of personal information of 859 individuals, including their Social Security numbers and salaries.

Proskauer Rose experienced a similar attack, involving what appeared to be a routine request from a senior executive within the firm. In this case, the firm lost control of more than 1,500 W-2s.

• Cyberattack type: Phishing
• Location: New York
• Cost: Undisclosed
• People affected: 2,359

Jenner & Block reported the breach to the relevant authorities. It provided two years of access to Experian’s ProtectMyID Elite 3B product to employees whose information was released. It also established a hotline for former and current employees and held townhall meetings with employees to discuss the breach.

Proskauer Rose also notified authorities of the disclosure of its employees’ personal information. The firm provided two years of identity recovery services for all employees, regardless of their involvement in the breach.

6. GozNym Malware

In 2016, two undisclosed law firms experienced attacks involving malware known as GozNym, which criminals used to covertly steal banking login and password information.

To trick law firm personnel into providing their banking credentials, the criminals sent a phishing email that directed the recipient to web pages designed to look like their bank’s website. The scheme used keystroke logging, which recorded the keys entered when victims visited the fake bank site. It then sent that information surreptitiously to the cybercriminals.

The attack targeted bank accounts at Bank of America and Brookline Bank. Once the criminals gained access to the law firm’s bank accounts, they transferred funds to other US and foreign bank accounts that they controlled. One law firm experienced a loss of more than $76,000, while the other firm lost $41,000.

• Cyberattack type: Phishing and malware
• Location: Washington D.C. and Wellesley, Massachusetts
• Cost: $117,000

According to the indictment, GozNym infected thousands of devices, with the potential to cause more than $100 million in losses.

5. Cravath Swaine & Moore and Weil Gotshal & Manges

To engage in insider trading and gather confidential information regarding pending mergers and acquisitions, three Chinese nationals targeted the law firms of Cravath Swaine & Moore and Weil Gotshal & Manges.

According to the US government, Iat Hong, Bo Zheng and Chin Hung earned over $4 million in profits while trading on information they stole from the law firms. To gather such information, the perpetrators used their unauthorised access to read emails belonging to partners at both firms about pending transactions involving public companies.

The indictment notes that the defendants targeted five additional law firms, launching at least 100,000 attacks on those firms.

• Cyberattack type: Malware and other undisclosed methods
• Location: New York
• Cost: Undisclosed
• Illegal trading profits: $4+ million

For trading on insider information, the US Securities and Exchange Commission fined the perpetrators $8.8 million.

4. DLA Piper

In June 2017, DLA Piper suffered a ransomware attack that first struck its Ukrainian offices during an upgrade of its payroll software. The attack involved malware known as NotPetya. The firm cited its ‘flat network structure’ as a reason the infection spread so quickly.

As a result of the attack, DLA Piper employees around the world could not use the firm’s telephones or email system, and some struggled to access certain documents. However, the firm states that it did not lose any data and its backups remained intact.

• Cyberattack type: Ransomware
• Location: Ukraine, then global
• Cost: Millions of dollars

In response to the attack, the firm’s IT department worked 15,000 hours of paid overtime. Given the depth and severity of the attack, the firm had to wipe and rebuild its Windows environment.

3. Appleby

In 2016, Appleby – an offshore law firm located in Bermuda – experienced a cyberattack. News of the attack surfaced in 2017, when the hack attracted interest from the ICIJ.

Known as the Paradise Papers, the law firm’s breached records included 13.4 million files. According to The Guardian, a total of 96 media companies and 381 journalists reviewed the documents.

The same journalists from Süddeutsche Zeitung who received the Panama Papers also obtained the documents in the Paradise Papers. Appleby denied the involvement of an insider, instead claiming that hackers had taken the documents.

• Cyberattack type: Hack or insider attack
• Location: Bermuda
• Cost: Undisclosed
• People and companies affected: 120,000+

In response to the breach, Appleby engaged in legal action against The Guardian and the BBC, seeking compensation for the disclosure of its legal documents. It subsequently settled the dispute by entering into a confidential agreement with both media companies.

The ICIJ reports on the Paradise Papers resulted in the recovery of unpaid taxes and assessment of penalties. The ICIJ also reports an increased awareness of the need for vigilance and more robust security to prevent future breaches.

2. Grubman Shire Meiselas & Sacks

In May 2020, Grubman Shire Meiselas & Sacks, which offers legal services to the entertainment and media industries, acknowledged having experienced a ransomware attack. To exert pressure, the hackers leaked information involving Lady Gaga, who is a client of the law firm. They also threatened to release information involving other celebrities.

The attackers asked for a ransom payment of $42 million to prevent the release of the documents to the public. The perpetrators originally asked for $21 million, then doubled their payment demand.

According to news outlets, the criminals behind the attack reported having received $365,000 from the firm so far. They threatened to release additional data, much of which involves celebrities, if they do not receive payment in full.

• Cyberattack type: Ransomware
• Location: Undisclosed
• Cost: To be determined
• People affected: To be determined

As part of its response, the firm disclosed that it has hired ‘the world’s experts who specialise in this area, and [is] working around the clock to address these matters’.

Previously, Travelex – a British company that provides foreign exchange services – paid the same criminal gang a $2.3-million ransom to regain control of its files and network.

1. Mossack Fonseca

In April 2016, journalists from German newspaper Süddeutsche Zeitung, Bastian Obermayer and Frederik Obermaier, received approximately 11.5 million documents belonging to the Panamanian law firm Mossack Fonseca. The journalists subsequently contacted the International Consortium of Investigative Journalists (ICIJ). The ICIJ put together a team of 107 media organisations located in 76 countries to review the documents, later known as the Panama Papers. Among other forms of questionable activity, the documents detailed the widespread use of shell companies and complex transactions as means of committing tax fraud.

While some claim that the 11.5 million records that ended up in the hands of the world press came from a leak from an anonymous insider, Mossack Fonseca claims that the firm experienced a hack.

Cyberattack type: Hack or insider attack

Location: Panama City, Panama

Cost: The firm closed its doors in March 2018

People affected: 300,000+

In the aftermath of the Panama Papers, several individuals mentioned in the documents resigned, including Iceland’s then prime minister, Sigmundur David Gunnlaugsson. Governments around the world used the documents to recover more than $1.2 billion. As a direct result of the adverse publicity associated with the Panama Papers, Mossack Fonseca closed its doors in March 2018.

In addition to attempting to commit run-of-the-mill bank fraud, cybercriminals increasingly want access to the data and intellectual property in a firm’s possession. In fact, many of the most damaging attacks involve either the outright theft of confidential data to support insider trading schemes or the theft and ransom of law firms’ client data.

If you’re looking to enhance security at your organisation, Arctic Wolf provides law firms with customised cybersecurity services, which include round-the-clock, on-demand access to a dedicated team of security experts with extensive experience working with the legal sector.