This last week saw another major global cyberattack, a new ransomware wave called Petya. It was focused initially in the Ukraine, but then spread to other countries including Russia and the United States.
This attack was similar to the WannaCry attack that hit 80 countries in May, 2017, but for the legal industry, what sets it apart from others isn’t the type of attack but who was targeted. Most notable is that DLA Piper, one of the largest legal firms in the world, was hit. The impact on the company was swift and potentially highly disruptive – so disruptive in fact, that no one wants to talk about it.
By Tuesday morning this past week, the company had shut down its internal phone and email systems, and employees had to resort to text messaging on their smartphones. That same day, the firm posted an announcement on its website, which was unaffected by the attack, stating:
“…our advanced-warning system detected suspicious activity in our network, which, based on our investigation to date, appears to be related to a new variant of the “Petya” malware.”
and:
“At this time, we have no evidence that the confidentiality of any client data has been compromised.”
Lessons for Law Firms
There are some important lessons that other law firms should take away from this attack, not the least of which is the fact that hackers are increasingly focusing their sights on law firms, as keepers of a wealth of client data.
DLA Piper is a leading international law firm with revenues of more than $2.5 billion, a staff of almost 4,000 lawyers and locations in more than 40 countries. In comparison to some of the other victims of Petya, the firm is one of the smaller victims. Petya created problems for a major shipping port in India, Mondelez International, BNP Paribas (a French-based international bank), and the UK media company WPP Plc, among others.
But law firms should take notice that Petya included DLA Piper in this latest round of malware attack. Why? Because this piece of ransomware seemed more intent on testing the waters, rather than trying to extract maximum financial gain from the companies whose data they held hostage.
In fact, one of the biggest concerns with Petya is the fact that many cybersecurity experts believe this particular attack was in fact intended to destroy and disrupt, and perhaps even act as a dry run or test for something bigger. The attack itself didn’t seem to yield much in other direct benefits to the hackers, other than a lot of information about the types of organizations and companies particularly vulnerable to this type of attack.
NATO Include Cyber As Military Threat
NATO’s Secretary General, Jens Stoltenberg, recently announced that cyber will soon be included in the list of military domains that are covered by NATO’s Articles of Defense. This means that in addition to land, air and sea, cyber warfare would be one of the domains that could trigger Article 5, which states that an attack on one NATO member is considered to be an attack on all 29 members of the North Atlantic Treaty.
Why Law Firms Are Cyberattack Targets
Law firms are increasingly being targeted by hackers because they’re seen as repositories of the valuable financial and personal data of their clients. An international law firm in Panama, Mossack Fonseca, suffered a major data breach in April, 2016 – with the hacked release of more than 11.5 million documents, and which came to be known as “The Panama Papers”. The hackers shared the documents with an international consortium of journalists, exposing their clients’ data far and wide, and creating global implications for transnational business and government relationships.
In March of 2016, the FBI’s Cyber Division issued an alert related to an attack on multiple international law firms, with financial motivations to gain industry-specific information for the purposes of insider trading:
Law firms, accounting firms and other professional service providers generally don’t have the same degree of investment or protection in their cybersecurity infrastructure as do other firms which are highly security-minded, such as financial services and healthcare companies.
In March 2015, the New York Times reported that, based on an internal Citigroup report, “it was reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies.”
The report found that “digital security at many law firms, despite improvements, generally remains below the standards for other industries” and that law firms are at “high risk for cyberintrusions”, and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”
Summary
Over time, professional services firms such as law and accounting firms with insufficient security planning and mitigation could suffer potential business disruption or shutdown, reputational damage, client costs, and fines, litigation costs and increased insurance. Those with superior security could reap the benefits of their caution, gaining a competitive advantage.
Cyberattacks continue to grow in frequency and morph in nature, targeting small and medium-sized businesses as well as larger firms and organizations. It’s imperative for law firms to do their utmost to protect their own data and assets, as well as those of their clients. Every company should have a robust cybersecurity plan in place, covering areas such as information security and asset management, employee awareness and training, data governance, privacy and security, and monitoring and detection processes, and crisis and risk management.
