4 Data Breaches at Law Firms and What You Can Learn From Them
Running a successful law firm means staying ahead of the curve when it comes to data security, and equipping your team with tools like a password manager and multi-factor authentication to help mitigate or prevent law firm cyberthreats. These law firm data breaches from 2020 and 2021 reveal password-related risks your company or department might be facing and how to avoid breaches.
Who was hacked: New York City’s Law Department
How they did it: Using an employee’s stolen credentials, bad actors infiltrated the law department network. The department employs thousands of people and holds sensitive data, including evidence of police misconduct. To prevent further access to their data, the department disabled their computer system, leading to delays in court proceedings and much more.
The takeaway: The law department network had yet to roll out their multifactor authentication at the time of the cyberattack, despite it being required two years prior. All hackers needed was one employee password to access the network and disrupt legal affairs citywide. Though the department is still unsure how the employee’s credentials were acquired, it’s likely that the password was easy to guess or recycled, which would have been prevented with a password manager.
Who was hacked: Lady Gaga and other A-Listers
How they did it: In 2020, the firm Grubman Shire Meiselas & Sacks was the target of a cyberattack, resulting in 756 gigabytes of stolen PII (personally identifiable information).The firm represents clients including pro athletes and Hollywood A-listers like Lady Gaga, whose legal documents were leaked in the attack. This ransomware attack on the law firm was achieved using REvil ransomware, which often uses phishing emails or stolen credentials to access a network remotely as the initial vector. The hackers demanded $21 million in ransom, doubling their price when the firm failed to cooperate.
The takeaway: Given the high stakes of securing legal documents, especially for high-profile clients, make sure your firm has robust ransomware and malware defenses by employing zero-trust technology. Employees should also be trained on detecting phishing emails.
Who was hacked: Fortune 500 companies
How they did it: The IP law firm Vierra Magen Marcus, whose clients are made up of Fortune 500 companies, experienced a damaging breach in 2020. Using REvil ransomware, hackers were able to acquire 1.2 terabytes of stolen data including NDAs and patents, which they auctioned on the dark web.
The takeaway: With clients like Fortune 500 companies, it’s only a matter of time before your firm is targeted by hackers. Shore up your malware and ransomware defense. Law firms can also run a dark web scan to see if data has been leaked.
Who was hacked: Panama-based Law Firm Mossack Fonseca
How they did it: Known as the biggest data leak ever, hackers supposedly exploited a vulnerability of a WordPress site and accessed an email server of Mossack Fonseca. The attackers stole 11.5 million files from the firm, which manages off-shore transactions for major clients including heads of state and celebrities. Emails, documents, and images were leaked to the media, resulting in a coordinated effort by the press to expose the firm’s clients for tax evasion and more. The damage to both the firm’s and their clients’ reputations resulted in Mossack Fonseca going out of business within two years of the attack.
The takeaway: Barring any criminal activity, it’s a firm’s responsibility to protect information about their clients. A strong cybersecurity culture and the right defensive tools are the best way to protect the reputation of your firm as a secure place for clients’ data.
Ready to hack-proof your firm?
Learn more about why a strong security culture should be top of mind for your firm, and how to implement the right defense tools against attacks with our free Password Playbook for Legal Professionals.