Cyberattacks: Why Law Firms Are Under Fire'Panama Papers' Expose Sector's Security Shortcomings
Ask hackers why they attack law firms, and their reply - to riff on bank robber Willie Sutton's famous quip - would no doubt be: "Because that's where the secrets are."
As demonstrated by the so-called "Panama Papers" leak of 11.5 million records from the Panama-based law firm Mossack Fonseca, there's no doubt that law firms are being targeted by attackers seeking to access, steal and potentially leak their clients' secrets.
Two lessons that all law firms - and other organizations - should learn from the massive leak are the need "to protect against insider threats - if they have not learned the lesson from Edward Snowden," as well as "to double-down on their due diligence in hiring employees," says attorney Sean Doherty, an information governance, compliance and e-discovery analyst for market researcher 451 Research. A third lesson, he says, is "the power of the press," noting that "their power to investigate is second only to nation-states."
But it's not clear how many law firms - or other organizations, for that matter - have been heeding advice to beef up their cyber defenses, despite law enforcement agencies and cybersecurity firms issuing repeated warnings about the risks of attacks by insiders, fraudsters, hacktivists, unscrupulous competitors and nation-states.
In 2011 alone, cybersecurity firm Mandiant estimates at least 80 U.S. law firms were hacked. In recent years, six firms - Fox Rothschild, Holland & Knight, Hunton & Williams, Simpson Thacher & Bartlett, Thompson Hine, and Wilson Sonsini Goodrich & Rosati - have been caught up in insider trading schemes that involved employees attempting to steal and profit from clients' information, Bloomberg reports.
On March 3, meanwhile, the FBI's Cyber Division issued a Private Industry Notification, warning law firms that "in a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms," Bloomberg reports. The FBI has not named the forum where the post appeared.
Panamanian law firm Mossack Fonseca, meanwhile, has not responded to repeated requests for comment about the circumstances surrounding its data leak, which reportedly began in late 2014. But founding partner Ramon Fonseca told Reuters that he blames the leak on an external hack attack, while also denying reports that his firm destroyed documents or facilitated money laundering or tax evasion (see If You Hide It, They Will Hack).
Law firms are a prime hacker target because they handle secret details of intellectual property, mergers and acquisitions, and other potentially valuable information. "Every large company sends all of its IP, next product plans, M&A information - on which you could trade or buy stock and make millions of dollars - to the largest law firms in the U.S. and the world," says attorney Chris Pierson, who serves as the general counsel and CISO for invoicing and payments provider Viewpost. "So, why hack Lockheed to find out the next patent for a missile system? Just hack their law firm. Why lose money in the stock market when you know you can hack the M&A group at the big [law] firm to find out ahead of time who is buying whom, and make lots of money?"
Brian Honan, a Dublin-based cybersecurity consultant, says the same goes for accountancy firms. "They hold lots of similarly sensitive information about their clients," he notes via Twitter.
Encrypt Data, Virtual Workspaces
In the wake of the Panama Papers leak, Zak Maples, a senior security consultant at MWR InfoSecurity, says all law firm CEOs need to immediately determine if the organization can identify where all information gets stored and who can access it; whether it has sufficient preventive controls to safeguard the data; and whether data access and exfiltration defenses are in place. CEOs, Maples, says, also must ask: "If we do have these controls and capabilities, have we actually tested them to ensure they are working?"
Doherty of 451 Research says law firms, being "custodians of client data," must make sure they're encrypting all data, both when stored and in transit, and carefully control, via granular file-access controls, "who can open, view, edit, copy, even transmit them via email. All file access should be logged, analyzed and reported for unauthorized use or unusual activity or anomalies." Of course, that advice applies to any organization that handles or stores sensitive data.
Doherty is also a proponent of using dedicated and secure virtual workspaces for handling confidential information. All discussion of legal matters "should be contained in secure online rooms, such as deal rooms, SharePoint sites, or other containers," he says. "Information in containers should remain contained and delivered to users on a need-to-know, time-limited basis. When the matter is complete, the container should be archived with limited access."
Digitizing Records Is Risky
Nearly four decades of records from Mossack Fonseca have been leaked, demonstrating that, at some point, the firm apparently began digitizing old records. "Firms working with clients in international finance, by necessity, were using digital records long before many traditional law practices," Doherty says. "By nature, many of their transactions are digital with electronic trails."
But Doherty says that any old records should be locked down. In particular, all related records, information and communications "should have been taken offline, at least placed in near-line storage, without general access," he says. "If the firm digitized closed matters, it opened a security hole for hackers and increased the threat of an insider attack."
The safest course of action will always be retain as little information as possible, says Honan, who also advises the EU law enforcement intelligence agency Europol. "If you are not obliged to keep certain information - due to laws, regulations or contracts - then the safest way to secure it is to destroy it in a secure manner."
Monitor for Unauthorized Access
Doherty says the Panama Papers breach isn't just a cautionary tale about the need to secure stored data or block exfiltration. "The root cause and risk was, and perhaps is, unauthorized access," he says.
Despite Ramon Fonseca's claims, many security experts suspect that an insider was involved in the attacks. That's a reminder, Doherty says, of the need for all organizations to beware of insider threats. For law firms in particular, he recommends they "conduct due diligence on new hires, as well as re-screen them on a regular basis.
Of course, data leaks can be achieved by using spear-phishing attacks or malware, which can give attackers access to corporate systems, allowing them to work like a virtual insider. "I think [that] automated threat is here today and may already be inside firms' firewalls," Doherty says.