Legal Industry Faces Double Jeopardy as a Favorite Cybercrime Target

A rash of 10 cyberattacks hitting six different law firms materialized throughout January and February, attempting to infect law firm employees with info-stealing malware. The campaigns are emblematic of the rapidly growing attack landscape in the legal profession, driven by the treasure trove of data that firms possess: personal details about clients, information about criminal defense proceedings, very specific contractual information, financial account data, and so much more.

For law firms, the risk is twofold: The cost of remediation and maintaining operational status in the face of a cyberattack and potential legal consequences if the data they hold is exposed.

According to eSentire’s Threat Response Unit (TRU), the most recent spate of attacks came from two separate, ongoing threat campaigns. In the first campaign, attackers attempted to infect law firm employees using SEO poisoning to lure victims to compromised WordPress websites. The sites were seeded with malicious links to phony contract or agreement templates that ran GootLoader malware. The second campaign utilized watering-hole attacks against victims, by poisoning a notary public’s website with SocGholish malware, in the hopes of ensnaring lawyers and other related legal professionals.

“Law firms and legal services organizations have exceptional access to non-public and confidential data across all facets of the public and private sectors,” says Larry Gagnon, senior vice president of security services and incident response for eSentire. “They, therefore, face significant cyber threats from adversaries’ intent on financial cybercrime that want to steal and sell sensitive data associated with those clients and their activities.”

And indeed, an analysis in January published by The American Lawyer on Law.com shows that cyberattacks in the legal sector have escalated significantly in the past few years. In looking at national data sets posted by four state governments required to publicly disclose the data, between 2014 and 2019, fewer than 20,000 Americans had their personally identifiable information (PII) compromised by law firm breaches. But between 2020 through 2022, that number shot up exponentially to 779,000. While only a limited data set, the growth statistic provides an excellent proof point to the fact that attackers are drawn to law firms like moths to light.

Why Legal Firms Are So Attractive to Hackers

It isn’t just the sensitivity of the data that legal firms handle but also the scope and detail of data that can be dug up by attackers who successfully breach a single firm — especially if it’s a large one. One attack can be a one-stop shop for monetizing the data and access stolen from not just one organization, but a whole portfolio of them.

“Law firms connect with and support many clients at any given time. Compromising one law firm gives bad actors access to numerous client networks without having to directly reach each one of them,” says Michael Tal, technical director for Votiro, a cloud file security firm that works extensively with the legal industry. “Files are the primary form of communication and weaponizing them gives bad actors a sure way to get the clients to open and infect the clients.”

For example, he noted one potential attack that his team uncovered where a hacker managed to breach the email inbox of a law firm and was using that access to send out malicious password-protected zipped files to insurance companies.

The other attractive element for hackers is that law firms and legal services companies tend to be very soft targets.

“Most law firms don’t have dedicated cybersecurity programs or personnel. As a result, their cybersecurity posture has likely failed to keep up with their requirements as a business,” says eSentire’s Gagnon, who notes that the legal IT environment also tends to be challenging to harden because it is typically comprised of a mix of legacy technology and more modern cloud-based solutions that sometimes don’t play nicely together without advanced support. “When attackers successfully breach a legal organization, they tend to progress beyond the initial foothold to the intrusion phase more quickly.”

This is likely also attributed to the fact that fewer than half of law firms have some kind of cyber incident response plan in place. According to the American Bar Association’s (ABA) annual tech report published last November, only 42% of firms have a plan in place.

A cyberattack is a nightmare scenario for law firms that are at risk of not only having their reputations torn to tatters but also of breaking very strict compliance mandates and confidentiality laws. But the good news is that many law firms are at least building awareness about cybersecurity risks among their business and attorney stakeholders. 

The ABA report shows that the number of respondents reporting at least some cybersecurity governing policies in place for technology usage has grown from 77% two years ago up to 89% in 2022. 

It may take a while for investments to catch up with awareness, says Fran Haasch, founding attorney of Fran Haasch Law Group.

“Some law firms may view cybersecurity as an unnecessary expense or may not prioritize it over other business concerns,” she says. “However, with the increasing prevalence of cyber threats and the potential legal and financial repercussions of a cyberattack, law firms should take cybersecurity seriously and invest in appropriate measures to protect their clients and themselves.”