Ride the Lightning

Three Chinese Men Indicted for Hacking Law Firms and Insider Trading

January 12, 2017

The Manhattan U.S. attorney's office unsealed a criminal indictment (press release here) December 27th against three Chinese men accused of using stolen law firm employee credentials to access troves of internal emails at two law firms. The men, according to prosecutors, used details they obtained in law-firm partner e-mails about pending deals to make more than $4 million in illegal stock trades.

While the indictment didn't name the firms, The Wall Street Journal previously reported that prosecutors were investigating a hacking incident at Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP. According to a Wall Street Journal story, details in the indictment indicate those two were the firms in question.

Legal-industry experts say law firms often lag behind their corporate clients in data security measures, even though they are entrusted with valuable trade secrets, mergers and acquisitions data and other sensitive information that is attractive to hackers. The reason behind the gap? Lawyers have only felt the threat recently, and law firms traditionally lag behind other industries in trying to become more efficient through technology, largely because they bill their services based on time.

That last observation made me laugh out loud. Our devotion to the billable hour certainly has its drawbacks.

"Law firms aren't necessarily committed to things that don't make them money per se," said Neil Watkins, the senior vice president of security, risk, compliance and privacy at legal-services company Epiq Systems. Law firms are at least three years behind what has become standard for data security in finance and other industries, though awareness is improving, Mr. Watkins said.

Marsh & McLennan Companies Inc.'s general counsel, Peter Beshar, said that in recent months, he has begun requiring his top 10 outside law firms to meet six cybersecurity standards, including using encrypted transmissions when sending messages externally, having detailed incident-response plans and securing $5 million in cybersecurity insurance coverage.

At 650-lawyer firm Nixon Peabody, chairman Andrew Glincher said the firm is constantly looking for ways to improve its security, which at times has meant recognizing that some data is better protected by storing it with cloud-based vendors. The firm sends out mock phishing emails to raise awareness among employees and has invested in new technology and outside monitoring services to help with intrusion detection, data leakage, e-mail filtering and virus protection.

So far, law firms have faced few financial repercussions for weak security systems. Chicago attorney Jay Edelson, who specializes in data-privacy litigation, would like to change that. Over the past two years he has investigated law firms for having potentially weak security systems and filed an unknown number of lawsuits against firms for having inadequate data security. Just one of the suits (against Johnson & Bell Ltd.) has become public, with the rest under seal.

It is interesting to note that the three men arrested attempted to hack into seven firms, according to the press release, succeeding at two of the firms. If the odds of getting into a law firm are that high, given the potential economic reward, cybercriminals are certainly going to aim their best weapons at those firms.

Hat tip to Dave Ries, who was looking out for me while I took a blogging break!

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
http://www.linkedin.com/in/sharondnelson