Federal authorities are investigating data breaches at the New York law firms Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, Threatpost reports.
“Last summer, the firm identified a limited breach of its IT systems,” Cravath Swaine & Moore said in a statement. “We have worked closely with law enforcement authorities who have jurisdiction over this matter. Upon identifying the incident we immediately supplemented our IT security measures with the assistance of additional outside security consultants.”
The firm said it’s not aware of any improper use of any of the data that was accessed by the hackers.
Last fall, an American Bar Association survey of 90,000 attorneys in private practice found that one in four law firms with at least 100 attorneys have experienced a breach due to hackers, website attacks, break-ins, or lost or stolen computers or smartphones, according to Law360.
Fifty-eight percent of respondents said their firms did not have a dedicated CISO or any other staff member charged with data security, and 47 percent of respondents said their firms had no response plan in place to address a security breach.
IDT911 chairman and founder Adam Levin told eSecurity Planet by email that the recent breaches demonstrate how exposed professional organizations really are. “The FBI is currently investigating to determine whether confidential information was stolen for the purpose of insider trading,” he said. “Unfortunately, it is equally likely that employee and client records were also accessed, making them prime targets for further spear phishing and social engineering attacks.”
“Any lawyers or staff members who may have been exposed should be hyper-vigilant about monitoring accounts for fraudulent activity,” Levin added. “They must not click on any links or attachments in emails without confirming the authenticity of the sender, change passwords for potentially compromised accounts and update security programs to protect personal data.”
“Professional organizations need to acknowledge their constant state of vulnerability and radically change their corporate culture by implementing more sophisticated security protocols, stepping up employee awareness training programs and adopting robust damage control programs that can limit the inevitable fallout from events such as these,” Levin said.
And Seclore CEO Vishal Gupta said by email that while banks and Fortune 500 companies have strengthened their security measures over the past few years, hackers are finding loopholes — in this case, through law firms. “There is no limit to what hackers can do to our markets with access to confidential trading information,” he said. “This incident underscores a critical need to prioritize persistent data-centric solutions.”
“It’s no longer enough to establish firewalls and perimeter securities — hackers can still find a back door,” Gupta added. “Protecting the data itself with persistent rights renders the data unusable and gives organizations the power to protect sensitive information even when it gets into the wrong hands to stop a breach like this one.”