| Haley Altman

Law Firms Need to Protect Client Data against Spear Phishing

Law firms are highly attractive targets for hackers due to the information about their clients – some of it highly sensitive or confidential. Three Chinese citizens were charged with trading on confidential corporate information that was obtained by hacking into the networks and servers of several U.S. law firms. The hackers obtained this information through “spear phishing.”


What is Spear Phishing?


The FBI describes “spear phishing” as “a virtual trap set by cyber thieves that uses official-looking emails to lure you to fake websites and trick you into revealing your personal information.” Hackers used emails that look like legitimate company emails to trick recipients into sending personal or confidential data to the hackers, believing they were sending the information to a member of the company.


Fortune reported the three were able to obtain insider information and make more than $4 million in profits. The publication also reported that one of the firms was attacked 94 days in a row, allowing the hackers to take nearly seven gigabytes of data.


Failure to Detect


The law firms failed to detect the email-driven attack. In the case of the hacked U.S. law firms, this meant access to information for insider trading. But what about other firms? Hackers could seek access to client concepts or conversations about ideas to be patented. It could be a list of witnesses in a trial – and perhaps access to their home or business addresses.


U.S. Attorney Prett Bharara in Manhattan said this regarding the case involving the Chinese hacking of law firms, which included some New York firms: “[This] should serve as a wake-up call for law firms around the world: you are and will be the targets of cyber hacking, because you have information valuable to would-be criminals.”


And don’t assume hackers will only target large law firms. Lawyers need to know that they are targets based on the valuable information they have.


Moses Afonso Ryan, a Rhode Island law firm with 10 attorneys, was hit with ransomware in 2016 and locked out of its network for three months until it could pay the $25,000 ransom in Bitcoin. The firm filed a lawsuit in April 2017 against its insurer, Sentinel Insurance Company, Ltd., for $700,000 for the lost billings for the three-month period.


All firms need to be vigilant. Firms need to take measures to protect data by using email alternatives to communicate confidential information. One option is to use a secure collaboration portal where communication is contained and data is protected.


To learn more about attorney obligations to protect client information and how encryption and cloud services can help protect it, download our eBook, “Technology Solutions Mitigate Risk of Data Disclosure.”