Cyberattackers have targeted all types of businesses, from oil companies to hospitals. This week, a small West Texas law firm reportedly discovered its email system had been hacked and used to dupe people around the world when they received an email from the firm regarding a lawsuit subpoena. The emails were from a valid address at the law firm of James T. Shelton in Clarendon, Texas, east of Amarillo. But no one from the firm had sent the messages. In a classic phishing attempt, the email reportedly contained a virus in a Word document loaded with malware that can be used to steal banking and other personal information when downloaded. As reported on the legal news website Texas Lawbook, the law firm shut down the email account and placed a warning message on its website saying not to click on links from the email.
Certainly, there has been a lot of interest in the last couple of years among companies and regulators about the potential vulnerability of law firms and how they might be the weak link enabling hackers to get access to corporate documents and information, says Mark Thibodeaux, cybersecurity lawyer in the Houston office of Sutherland Asbill & Brennan LLP. Mr. Thibodeaux is also a former IT executive and has an in-depth understanding of the techniques used by data hackers. All organizations must train computer-using employees to recognize ‘phishing’ emails. When unsuspecting victims open attachments or click on links in these emails, that is how the attackers get their foothold on the organizations’ networks, he said.
There have been allegations that big law firms have been targeted by (primarily Russian) criminal gangs to get access to pre-release corporate information to use for insider trading of stocks and other securities. And, of course, there has most recently been the supposed hacking of Mossack Fonseca in Panama, leaking information about the widespread use of offshore companies to hide money,” said Mr. Thibodeaux. “Both federal and state regulators have increased their scrutiny of how financial institutions are managing cybersecurity when they have entrusted information to third parties, like law firms, accountants, and IT contractors. They want to see due diligence on cybersecurity before information is handed over, strong contractual confidentiality protections, periodic audits of security, and notification and cooperation with investigations when incidents occur. Mr. Thibodeaux notes that a group in the oil and gas industry, including many Houston-based companies, recently founded an Information Sharing and Analysis Organization (ISAO) focused on sharing ideas regarding protecting information shared with outside counsel and information about threats and defenses.