Law firms targeted in top 10 worst cyber attacks

Cyber attacks that targeted major Canadian law firms are among the top 10 worst security breaches in North America, according to a list compiled by virtual data room provider Firmex.

The list, which includes Google and Dallas marketing firm Epsilon, cites a total of 11 unnamed Canadian law firms among companies across the continent that suffered major cyber break-and-enters, potentially revealing sensitive client information to hackers.

In one 2010 security breach involving a takeover deal between BHP Billiton and Potash Corp, “hackers rifled through the networks of seven law firms looking for confidential information pertaining to the proposed $38 billion bid,” says Firmex.

The incident was blamed on China’s state-owned Sinochem Group, which allegedly feared BHP’s takeover of Potash Corp would lead to a global control over supply of potash and sought to disrupt the bid, according to Fermex.

Attacks against law firms are becoming more targeted, says Debbie Stephenson, who researched security breaches to compile the list.

“Hackers are seeing if they can get backdoor entry to law firms, they can get access to a lot of client information,” she says. “They’re becoming smarter.”

In another attack in April 2011, which Firmex calls “one of the most devious,” four Canadian law firms were targeted by hackers attempting to access sensitive documents by posing as partners who were working on an acquisition of a Chinese company, says Stephenson.

Lawyers “received e-mails that appeared to be from a partner working on the deal,” the Firmex list explains. “The e-mails were fake and included attachments that contained malware, which when opened successfully infected dozens of computers.”

It’s unclear if confidential documents were actually leaked through the espionage, but the fact that hackers can gain access to law firm computers is troubling, says Stephenson.

While not on Stephenson’s list, last December a Toronto-area law firm lost “a large six figure” amount after a virus gave hackers backdoor access to its bookkeeper’s computer, according to LawPRO. The virus copied bank account passwords as she typed them. 

Law firms are “somewhat lagging in security,” she adds. “They’re playing catch-up with these advanced techniques.” l

Some law firms have banned use of personal e-mail at work to reduce risks and others outlawed use of document sharing products like Dropbox, which lack advanced encryption features.

“It’s just important to note that [cyber attack] is on the rise,” says Stephenson. “It is the new crime wave in the millennium and it’s something that we’re really not prepared for.”