As you can imagine, there are a multitude of reasons why businesses get hacked. Often, its for personal information in support of identity theft. But while personal information has value, we sometimes see attackers going after bigger fish. Recently, the law firm Cravath Swaine and Moore LLP disclosed that it had been hacked, and experts believe the target was insider information about the firm’s large international clients. And they aren’t the only law firms to be attacked this way.
It’s a sneaky way to get inside information with perhaps less risk of being caught than trying to get close to insiders themselves personally. But this also raises issues of trust and liability between the law firms and their big name clients.
The firms have stated that there is no evidence that any stolen information has been abused. This is a standard statement issued by most organizations, on advice from their lawyers, I presume. However, if a law firm’s network is breached and they don’t have adequate prevention and detection safeguards, how does anyone know where losses have materialized from?
I think we are going to see a lot more focus on information security assurance in vertical industries that typically have been highly trusted with valuable information, such as in the legal field. Just as attackers are hitting hospitals with ransomware because they know the data is dynamic, may not be well protected, and the institutions can’t operate without access to their data; legal firms have lots of information that can be targeted for specific purposes like insider trading, and also don’t have a great reputation for having invested in strong information security technologies and procedures.
Here’s a story from Threatpost.com that explains more of the details.