Law Firm Data Breaches Besiege Client Confidentiality

The Syrian Electronic Army (SEA) is famous for spearphishing well-known brands and news outlets.

Over the past 5 years, the group has launched attacks against targets including the White House, Harvard University, Reuters, the Associated Press, NASA, CNN, Time, the Washington Post, The Onion and Microsoft, among others.

The SEA’s attacks have included compromising the Twitter account of the Associated Press in April 2013, to post a bogus tweet that the White House had been bombed and that President Barack Obama had been injured.

That hack resulted in a short-lived but perilous dip in the stock market, to the tune of $136 billion.

Experts at spearphishing they may be, but they weren’t particularly good at covering their tracks on Facebook or Google, it turns out.

That’s how investigators know the names of the three men they filed charges against on Tuesday.

They are Ahmad Umar Agha, 22, of Damascus, Syria; Firas Dardar, 27, of Homs, Syria, and Peter Romar, 36, of Walterhausen, Germany.

The FBI on Tuesday added two of them – Agha and Dardar, both believed to be in Syria – to its “Cyber Most Wanted” list and put a price tag of $100,000 on each of their heads, payable to whoever can provide information that leads to their arrest.

As IntelCrawler detailed in a report on the SEA, Agha – who has allegedly used the aliases The Pro and Th3Pr0 – is “one of the most aggressive and experienced members in SEA,” responsible for the majority of past hacks, and is “one of the more stealth members.”

He’s allegedly behind the first ever SEA attack: the defacement of the University of California’s website in July 2011.

Stealth he may be, but according to IntelCrawler, “The Pro” “unknowingly and carelessly” let slip on his Google Plus page that he worked at the SEA.

The report details a long digital trail left by the alleged hackers as they communicated via Google, Facebook, LinkedIn and other online services.

Because of that digital trail, investigators also traced Dardar, who was allegedly known online as “The Shadow.” The Feds claim that starting in 2013, Dardar worked with Peter “Pierre” Romar on an extortion scheme targeting US businesses.

According to the complaint, the pair would hack into the victims’ computers and then threaten to damage computers, and delete or sell the data unless they were paid a ransom.

The Washington Post on Tuesday cited US officials who said that Romar was arrested in Germany. The Department of Justice is seeking to extradite him.

The US has issued arrest warrants for the two men it’s placed on its Cyber Most Wanted list: “The Pro” and “The Shadow.”

Assistant Attorney General for National Security John Carlin said in a statement that the conspirators’ extortion schemes undermine their own claims of working for a noble cause – to support the embattled regime of their president.

While some of the activity sought to harm the economic and national security of the United States in the name of Syria, these detailed allegations reveal that the members also used extortion to try to line their own pockets at the expense of law-abiding people all over the world.

by:  from Sophos

 

Image of Agha and Dardar courtesy of FBI Most Wanted

Big Law is struggling to protect privileged and sensitive information among the onslaught of breaches, an ever-demanding workload, and their own human errors.

Law Firm Data Breaches Besiege Client Confidentiality

Law Firm Data Breaches Besiege Client Confidentiality

In the wake of recently exposed law firm data breaches among several of the Am Law 100 emerges a larger issue around managing client confidentiality—one of the bedrocks of law firms’ responsibilities.
In the modern digital world, it also becoming more of a complex challenge, which is the topic of a recent whitepaper released by Delta-Risk, a cybersecurity consulting company based in Washington, D.C.
And nowhere is the concern over client confidentiality perhaps more pronounced than in industry’s vulnerabilities to cyberthreats. Law firms are some of the most attractive targets for cyberattackers, the whitepaper notes, because they handle a variety of sensitive information, from “potential mergers and acquisitions, patent and trade secrets, litigation plans, and generally very specific and confidential information on clients and their dealings.”
Law Firm Breaches
Over the past several years, cyberattacks on law firms have run the gamut from hacktivist breaches and nation-state attacks to low-level blackmail attempts.
Earlier this week, new reports revealed that hackers gained access to the computer networks of law firms working on M&A deals, including Cravath, Swaine & Moore and Weil, Gotshal & Manges. A Weil spokesperson declined to comment, but Cravath confirmed that the firm identified a “limited breach of its IT systems” in the summer of 2015, according to The American Lawyer.
While law firms have kept hush about it, data breaches at law firms actually date back several years: For example, in 2010, California-based law firm Gipson, Hoffman & Pancione was the target of malicious phishing emails from Chinese hackers shortly after filing a software piracy lawsuit again the government and the country’s firms. The firm was quickly able to identify the malware and prevent any data infiltration.
In 2012, however, Chinese hackers successfully breached Washington D.C. firm Wiley Rein, who represented Solarworld in an antidumping case against the country, as a part of a wider cyberattack effort.
Gipson, Hoffman & Pancione and Wiley Rein declined to comment for this article, while Ziprick and Cramer and Brown Firm did not immediately respond to requests for comment.
But that is not unusual, said Joseph Abrenio, vice president of commercial services at Delta-Risk, who is also president of the Midwest Cybersecurity Alliance. He noted that firms are usually hesitant to disclose breaches due to legal, ethical, and as important, branding issues. The amount of breaches at law firms, he believes, is higher than what is usually reported.
Yet as more breaches enter the public eye, it is possible to begin to understand the scope of the problem. In early 2016, for example, a cybercriminal, with the moniker “Oleras,” was reported soliciting other hackers in an effort to breach 48 law firms, almost all of which are among the Am Law 100. The cyber criminals previously targeted dozens of M&A law firms.
Other examples of law firm breaches go back to 2012, notably the politically-motivated breach of the now defunct law firm Puckett & Faraj by hacktivist group Anonymous. The firm represented former staff sergeant Frank Wuterich, a key figure in the controversial Hadith killings in Iraq in 2005. While Anonymous was only after his emails, they released the emails, and all subsequent sensitive information, of many of the firm’s other public clients.
But cybercriminals don’t always have as complex intentions — some are attempts for a quick financial gain. In 2015, for example, the firm of California-based Ziprick and Cramer suffered a ransomware attack, which was able to encrypt data on an employee’s workstation and within the firm’s in-house servers. The cybercriminals threatened to destroy the data unless paid, but Ziprick and Cramer had a data backup solution in place, and dismissed the ransom.
Florida-based Brown Firm, however, was not so lucky. A ransomware attack in early 2016 crippled the firm’s systems and froze unrecoverable data. After consulting with IT professionals and law enforcement, the firm paid $2,500 for the decryption key.
The Human Factor
While the fear of breaches of client confidentiality through cyberattacks is pervasive, the “most prevalent [cause of data loss] is human error and negligence,” said Abrenio
“Let’s face it, productivity is king, and lawyers, paralegals, assistants, all of the staff are constantly under great pressure to produce,” he explained. “When you’re doing that at such a high rate, ultimately its bound that human failure is going to happen. And I’ve seen numerous inadvertent disclosures of data that is either to opposing counsel, to counsel not even involved in the case or people that have no relationship to the case.”
How inadvertent disclosures affect client confidentially usually depends on the specifics of the disclosure. To highlight this point, the whitepaper cites the 2008 case of Victor Stanley, Inc. v. Creative Pipe, Inc., which involved a defendant’s attorney who, through the process of a mishandled e-discovery request, handed over privileged information to opposing counsel.
“Because of the questionable way the defense handled the discovery request search and how they dealt with the problems of the disclosure,” the whitepaper noted, “the court determined the balancing test it employed weighed against the defense. The inadvertently disclosed documents were no longer privileged. The defense’s technical failures exposed their clients’ privileged information to their adversaries.”
But five years later, the situation was different in 2013’s Kyko Global, Inc. v. Privthi Info. Solutions, a case involving a defense counsel that improperly destroyed certain privileged data through reformatting a hard drive. When the hard drive was handed over, the plaintiff was able to recover the data. Here, however, the court found that the intention and actions of the defense counsels were adequate to support the data’s privileged status.
What courts in both cases took into consideration, the whitepaper noted, was whether attorneys acted in a reasonable way to protect their client information. But it cautioned, “the baseline standard of what is ‘reasonable’ and what should be done in the event of a breach or disclosure is bound to change with improvements in technology.”
The fault assigned to law firms and attorneys who mishandle data out of court and the discovery process is far more clear cut — situations, Abrenio noted, that happen far too often.
“What I’ve also seen unfortunately is lost data, the standard lost briefcase, or nowadays the electronic form of that, lost laptops; it’s amazing what frequency of that I have seen occur and it’s troubling and because these laptops are unencrypted,” he said.
The whitepaper discusses once such instance involving an IT employee of the firm Stern, Agee, and Leach who left an unencrypted laptop containing sensitive data in a public restroom. The firm suffered a $225,000 fine from the Financial Industry Regulatory Authority (FINRA) for the incident.
Reporting Requirements
Fines, however, may be the least of a law firm’s problem when it suffers a data brief of privileged and sensitive data. The whitepaper notes that 47 states, as well as Washington D.C., Guam, Puerto Rico and the Virgin Islands, have breach notification laws which require organizations to notify affected residents if the breach meets certain conditions, like a threshold number of people affected.
Attorney responsibilities post-data breach, however, extend beyond state laws to ethical obligations, such as those outlined in the American Bar Association (ABA) Model Rules of Professional Conduct. Rule 1.1, which requires lawyers provide competent representation, for example, “now extends that competency to the use of technology,” the whitepaper noted. Similarly, Rule 1.6 requires “reasonable efforts to prevent the inadvertent or unauthorized disclosure” of client data.
ABA rule 5.3 was also expanded to ensure that, among other things, “Internet-based service to store client information,” such as cloud services comply with a proper security measures and other ethnical obligations.
While cyberattacks and human error make data breaches seem inevitable, there are ways to shore up one’s defenses against the likelihood of unintentional data loss. The whitepaper suggests that firms first and foremost “develop a comprehensive cybersecurity program,” which includes employee cybersecurity training, monitoring their data and data policies, frequently testing their cybersecurity defenses for weaknesses, and fostering a “culture of cybersecurity compliance.”
But firms must also prepare for lapses, for “even the best laid plans and preparation sometime fail.”
The whitepaper advises purchasing cybersecurity insurance in case of successful attacks, adding “claw-back” procedures to document production agreements in case of inadvertent disclosures, and instituting a “two-pass process of reviewing documents that will be transmitted.”

Ricci Dipshan , Legaltech News

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282