May 15 2020

Stop the music! Law firm hack foreshadows celebrity doxing

Once again, a major New York law firm was hit by a ransomware attack, exposing their client’s personal and private information – several of whom are prominent musicians.

The specific ransomware, commonly referred to as REvil or Sodinokibi, has done significant damage since being introduced in 2019. Viewed in isolation, this event – this specific attack and its effect on these unlucky celebrities – seems almost run of the mill.

After all, the event involving Panamanian law firm Mossack Fonseca & Co, more commonly known as the “Panama Papers” caused turmoil in the release of 11.5 million leaked encrypted confidential documents. This led to the ruin of the firm and exposed the network of more than 214,000 tax havens involving people and entities from 200 different nations.

Law firms are the custodians of extremely valuable data. Think it through for yourself: merger and acquisition data, personal information, intellectual property… law firms are a gold mine of confidential, highly valuable information.

Before we just accept what is presented, namely: a) law firms are an excellent target for cyber criminals, and b) hacks are daily occurrences, this is a significant moment for introspection.

We’re all forced confront that which is directly in front of us: we must embrace a new normal.

The way we’ve done business all along is no longer good enough. Those assumptions that have been baked into our collective mindset need to be reviewed, now that we are must question everything.

Who has my data and how are they protecting it? What questions should I be asking to find out?

Indeed, what should we be asking our lawyers, our accountants, our business partners, vendors and all information sharing relationships with regard to their current data risk management practices? What is it that a well-informed person should know?

The answer is a category that Layer 8 Security is familiar with; welcome to the world of Vendor Risk Management.

The expectations that one has of a third party vary greatly, with a host of issues playing into the determination. Regarding law firms, their cybersecurity requirements are not necessarily regulated by the federal government, but they do have a contractual and professional obligation to safeguard client information.

When considering that they handle the most sensitive, non-public, market moving information available, shouldn’t they be?

Shouldn’t they be required to implement and develop a mature data risk management program, replete with policies and procedures, and shouldn’t they be prepared to respond to third party vendor management questions like other industries?

While this blog is just a surface treatment, please give these questions the requisite amount of thought while it remains top of mind.

I invite you to reach out Layer 8 Security. Let’s think through your (or your company’s) third party exposure, including the risk related to your legal representation, And, if you’re a law firm, we’re here to help you too.

Photo by noshad AHMED on Unsplash