It appears that large retailers and hospitals are no longer the only targets for hackers as evidenced by the hack at the Panamanian law firm, Mossack Fonseca, generally referred to as the “Panama Papers.” While the identity of the hackers is still unknown, the extent of these crimes is starting to be fully realized. Reports indicate the hackers took millions of documents, including emails belonging to the law firm’s clients. There has already been substantial fallout from this hack including the resignation of Iceland’s prime minister and uncertainty for a number of other world leaders.
Perhaps the most startling fact about this crime is the lack of sophistication needed to steal sensitive client information. The combination of outdated safeguards and highly-sensitive information provides a ripe target for hackers. Specifically, commentators believe this attack originated when the law firm failed to update its web servers:
The fact that Mossack Fonseca’s web servers were many months out of date was particularly egregious, especially considering the sensitivity of their clients’ information. “They seem to have been caught in a time warp,” says Alan Woodward, a cybersecurity expert from University of Surrey and consultant to Europol’s European Cybercrime Centre. “If I were a client of theirs I’d be very concerned that they were communicating using such outdated technology.”
In addition to the “Panama Papers” incident, there should be little question law firms hackers are looking to exploit vulnerability at law firms. It has recently come to light that hackers have launched “phishing” attacks aimed at law firm employees and personnel. In an attempt to gain access to documents related to corporate mergers, authorities recently learned of a scheme offering to pay hackers $100,000 in addition to half the profits of the first $1 million taken from law firms. In particular, after gaining access to law firm networks, the hackers were instructed to conduct key word searches to find documents related to pending mergers or other transactions that the hackers could use to turn a profit.
In response to this scheme, the FBI recently issued an alert through the American Bar Association warning law firms of this threat. The FBI alert describes the scheme as follows:
A financially motivated cyber crime insider trading scheme targets international law firm information used to facilitate business ventures. The scheme involves a hacker compromising the law firm’s computer networks and monitoring them for material, non-public information (MNPI). This information, gained prior to a public announcement, is then used by a criminal with international stock market expertise to strategically place bids and generate a monetary profit.
The evolution of the hacker threat from large (highly secured) targets to smaller (lacking security) targets has not been a surprise. What has been surprising is the fact that the smaller targets did not see the threat evolve to put them in the crosshairs. Further, the fact that a number of international law firms have found themselves to be targets demonstrates difficulties in protecting against hackers. The threat to law firms should also provide insight to accounting firms, real estate brokers and any other smaller operation about the value of cyber security.