Summary: Many large law firms do not disclose or even acknowledge when their systems are hacked, causing concern for many clients and members of law enforcement.
Although hackings and breaches of Internet security seem more and more common, the legal sector has rarely disclosed such a breach. According to the New York Times, both corporate clients and law enforcement have been frustrated with the failure of major United States law firms to disclose such breaches. According to Bloomberg, such breaches have occurred for the past ten years.
Recently, an internal report from Citigroup’s cyberintelligence center echoed this frustration. The report warned bank employees of the threat of security breaches on the networks and websites of large law firms. The report read, “Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise.â€
The report from Citigroup was issued in February. It said that it was realistic to expect these law firms to be targeted by foreign hackers and governments since their networks contain so much confidential data on subjects such as corporate deals and business strategies. The report added that bank employees should be mindful that digital security at many firms has improved, but is below the levels of other industries. The report noted that law firms face a “high risk of cyberintrusion†and that they would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.â€
Last year, the hacker Sabu was granted some leniency in his sentence for his cooperation.
Citigroup’s team also noted several ways that hackers have already snuck into law firm websites and servers, such as direct attacks on websites, breaching their systems, or using the law firm names in phishing efforts to fool individuals into revealing private information.
Other Wall Street banks are also pushing the legal sector to take further action against hackers and security breaches of client data. For close to a year, law firms and banks have discussed creating a partnership to share information about hacking events. Banks also want more documentation from law firms about Internet security as a condition of their retainer.
Over the past several months, Mandiant, a security firm that is a subsidiary of FireEye, has advised several law firms that were victims of some sort of breach or attack.
Last January, hackers hacked the popular app SnapChat.
Federal law enforcement is also advising these law firms to be more open about reporting a hacking incident when it occurs. The Federal Bureau of Investigation met with the leaders of law firms in the past few years to discuss their online security. The highest-ranked federal prosecutors at the Justice Department have also begun to meet with these firms. According to a separate article by Bloomberg, these breaches may risk compromising the attorney-client privilege.
John P. Carlin is the assistant attorney for national security. Earlier this month, he spoke at an American Bar Association conference in New Orleans, informing lawyers that they need to inform both clients and law enforcement if cyberattacks or Internet security breaches occur. In a recent interview, Carlin said, “There are still a lot of companies that try to go it on their own. They try to circle the wagons.â€
Carln had not seen the Citigroup report, but said that law firms need to report such serious incidents, and not view them as “a badge of shame.†Carlin said he planned to relay a similar message to investors and big money managers at a hedge fund conference in Las Vegas in May.
According to Citigroup, Fried Frank suffered a watering hole attack back in 2012. Hackers infected its website with malware, which is an intrusive program that can infect the computers of those who visit the site.
Steve Lewis, the director of information systems at the firm, said that Fried Frank’s data network had “never been breached and client information has never been compromised. Lewis added that the firm’s public website was hosted by a separate vendor and that it “contains no confidential information.â€
Covington & Burling, another large law firm, based in Washington, D.C., also suffered an attack in 2012. That attack appeared to have been led by a “China-based†group of hackers who apparently sent fraudulent emails, probably in an attempt to learn more about the firm’s corporate clients, such as energy companies and military contractors. Attorney General Eric H. Holder, Jr., also used to practice there.
In 2013, a Reuters employee was suspended over allegedly helping hackers.
According to Citigroup’s report, the information on the attacks on these two firms was from iSight Partners, which is a security consulting firm in Dallas. It has received financial support from Blackstone. There was no indication that Covington’s systems were compromised.
Citigroup released a statement that distanced itself from the report. An anonymous source said the bank had stopped distributing it. “The analysis relied on and cited previously published reports. We have apologized to several of the parties mentioned for not giving them an opportunity to respond prior to its publication in light of the sensitive nature of the events described,†a Citigroup spokeswoman, Danielle Romero-Apsilos, said.
Two smaller firms, Puckett & Faraj and Gipson, Hoffman & Pancione, also apparently suffered attacks. The hacker group Anonymous retaliated against Puckett after its attorneys represented a solder who pleaded guilty in connection to the death of 24 Iraqi civilians. Gipson said that it suffered an attack in 2010 because of a software piracy lawsuit that it filed on behalf of a client against the Chinese government.
John Hultquist, a manager at iSight, said that it gathered information on the incidents from several sources, and that hackers were targeting many professional service firms. He said, “It’s not only law firms being targeted for cyberespionage and by cybercriminals. Auditors are regularly targeted, even strategic communication firms.â€
Source: New York Times
Photo credit: Huffington Post