Hackers and Legal Information
In late 2014, during a meeting of my firm’s technology advisory group, I recall skeptically saying something like: “What hacker is actually going to target a law firm. We don’t store client credit card data, there are multiple layers of security on our servers, on our files and for employee personal information, I mean really, we are not Target or Home Depot.” Other members of our group did not agree with me.
Boy, was I mistaken. On December 31, 2014 the Law Society of BC issued a Fraud Alert titled BC law firm’s computer system hacked by extortionist.
Notices appeared on some of the firm’s computer monitors stating “Your files were encrypted and locked with a RSA2048 key.” The firm was advised to contact an address within 12 hours and pay an extortion fee to have the encryption unlocked. The notices further advised that if the firm did not pay the fee within the stipulated time, the fee would double. Finally, without payment, the files would be “irrevocably broken” after 30 days.
The firm did everything right: not pay the extortionist, took proper steps with professional technical assistance, called the police, and the issue was resolved.
Scares the pant off me that I poo-pooed the very idea of this occurring. First on my ‘lessons learned in 2015’ list.
I’d also be concerned about less-criminal hackers paying special attention to law firms who do pro-bono work for unpopular causes, who deal with people from unpopular countries or with unpopular religions. What is unpopular, of course, may change without notice.
Too true David. Add unpopular fictional representations of real people to the mix as well.
Another logical argument for why a hacker would target a law firm is deal in progress information of course, or even sensitive litigation that could have a major monetary impact on a stock price.
I admit that my instincts still say that we are not living in a novel – however art imitates life as the BC firm found out.
Actually Shaunna you weren’t wrong to think that your firm is unlikely to be targetted.
This attack almost certainly wasn’t a targetted attack aimed at that specific law firm. These types of “ransomware” attacks are usually spread through automated mechanisms to thousands of computers at a time hoping that one will be vulnerable. There probably wasn’t an extortionist in the sense of an individual waiting for the payoff. The extortionist is usually a computer program that waits to see if a Bitcoin address has received funds and if it has then it sends the password to decrypt the files to the victim. Ultimately there’s a person running the program but that person doesn’t care whether they infected your firm or Home Depot. They just care about how much money they’re receiving and how they can spread the virus to more computers.
That said, there have been a few high profile attacks on law firms where they were specifically targetted. Here’s a CPD presentation I did on the subject last year: http://www.cameronhuff.com/blog/cybercrime-presentation/index.html