()

In August, security experts revealed that 68 million Dropbox user emails and passwords were hacked and leaked onto the dark web, the secretive section of the internet not found by search engines such as Google. For LinkedIn, the number was 167 million leaked credentials. For Yahoo, more than 500 million.

Perhaps you haven’t considered how these breaches involve you. Think about this question: What email did you use to sign up for these platforms? If you’re a law firm employee, and you used your company email address, you may have opened the law firm up to risk. If you use the same two or three passwords on multiple different accounts, particularly connected with your work log-in, this risk potential skyrockets.

“People don’t quite understand that when you use your corporate email domain for your fantasy football league or your dating site, you’re bringing exposure to the organization,” says Kevin Lancaster, CEO at internet security contractor Protorion Systems.

This exposure comes in the form of employee passwords, credit cards and other information in the hands of hackers. For law firms, the risk comes when these hackers then turn around and use the stolen data to try and enter firm systems, a similar goal to email phishing attacks and one that can affect any enterprise.

Lancaster says he has seen these threats to law firms firsthand. Protorion Systems’ cyber intelligence platform Dark Web ID uses a combination of people (formerly malicious hackers that now “help the good guys out”) and technology (artificial intelligence) to rummage through the dark web, he says, finding these compromised credentials for clients.

Most credentials appear “not within the popular dark web or deep-web sites,” Lancaster says, but instead in “private chat rooms and member communities” in which hackers operate. These hackers can then take the compromised credentials and use them to attempt entering organizations’ systems using the stolen passwords.

These credentials are not evidence of a hack on an organization. Instead, they are credentials usually stolen in a third-party hack, such as those against social media sites like LinkedIn, work operations sites like Dropbox, or even leisure sites like Sony PlayStation or Ashley Madison. And it’s not just email addresses and passwords that are stolen: “It’s a credit card number, it’s a Social Security number, it’s a home address, it’s a PayPal account,” Lancaster says of data thefts that can put employees’ own privacy at risk.

Many law firms are aware of these risks, but believe their current policies have the risk properly assessed. Peter Devlin, president of law firm Fish & Richardson, told sibling publication Legaltech News that while leaks can occur, “Fish has not experienced any issues from leaks of firm email addresses on third-party websites, and we don’t anticipate any problems arising from those leaks. We are confident that due to security training and policies regarding network IDs and password security, hacked email addresses are not linked to the passwords used on our network.”

Many other law firms contacted by Legaltech News echoed similar sentiments, though did not agree to speak on the record given cybersecurity’s perilous nature.

Still, as Legaltech News has previously reported, the ultimate risk is shadow IT—the actions employees are taking outside of policy. Ryan McClead, business transformation and innovation architect at HighQ, told Legaltech News, “We talk to law firms all the time. [They say], ‘Oh, we don’t use those types of things. We don’t use Box or Dropbox.’ But if you actually go through and see what people are doing with their domain email address, there are lots of people using these things, and IT isn’t aware of it, and the firm management isn’t aware of it.”

And these threats are only increasing, as evidenced by a September Dropbox leak. To provide an example of the potential threat, Protorion Systems exclusively provided Legaltech News with the most frequently-found law firm email address domains on its dark web searches, accurate as of Oct. 27, 2016. Dark Web ID (DWID) Hits indicates that an email and password were discovered from a specific law firm domain; the chart below ranks firms by the number of such compromises.

Most Compromises by Total DWID Hits Found

Firm Name

Domain

Number of attorneys

DWID Hits

DLA Piper

@dlapiper.com

3702

5078

 

Are All These My Employees?

Lancaster says his team “won’t get many false positives” for these figures, as the company feels most emails and passwords found are legitimately from the firms. However, there are a few caveats that mean not all of the compromised emails they encounter are from current law firm employees.

The first is simple movement: People often don’t stay in the same firm for too long, and Protorion Systems does not verify that any particular compromised email address is actually one of a current employee unless explicitly asked by a client. To explain this point, consider a breach of LinkedIn, Lancaster says, noting that many of the site’s users have had the same LinkedIn account for five years or even longer.

“For DLA Piper, let’s say they had 350 exposures with LinkedIn. It’s possible half of those aren’t even employees anymore,” Lancaster explains. “We don’t make that designation because we don’t have the resources and time to do that, and we don’t have access to their active directory.”

The second issue that can occur is fake website registrations under a specific domain. This is more common, Lancaster says, for shorter domains that users simply plug in during registration. This can provide a potential explanation for law firms with these short domains—notably Fish & Richardson (fr.com) and Jackson Walker (jw.com), two of the top three by highest percentage of attorneys.

But when contacted by Legaltech News, Fish & Richardson notes that for the firm, not all emails are used as log-ins, and the public nature of email addresses can lead to further false positives.

“As is the case with virtually every law firm, all Fish legal staff email addresses are public, and posted on our website, because we want to make it easy for clients to contact us,” Devlin says. “We know that this creates an unavoidable opportunity for criminals to spoof our email addresses. On the other hand, firm network usernames are unique and are not publicly available. The firm network requires complex passwords that are frequently changed. These protocols ensure that our network is protected even when third-party sites are hacked.”

So What Does It Mean?

Lancaster stresses that these compromises are not breaches, but rather vulnerabilities. The key, he says, is to make sure that proper procedures are in place to both be aware of and protect against hacking attempts coming from these emails, especially when it comes to making sure employees follow these procedures.

“What we’re trying to suggest is, it’s not about your exposure yesterday and what we find, it’s actually about your exposure tomorrow,” Lancaster says. “It’s not about if you’re going to get hacked, it’s about detection of when it happens and the actions taken from that.”

He suggests three courses of action. First, firms should establish and enforce policy about using corporate emails owned by the law firm. Many firms already have these policies, and many that he works with will “use our platform to reinforce policy,” he says.

Second, he stressed the importance of two-factor authentication (“the password plus something”), which utilizes a text message or biometrics as an additional entry barrier to the system, as well as other technologies. Fish, for example, uses “software that screens emails to filter and quarantine incoming email from viruses, malware, and phishing attempts,” Devlin explains.

Third, he notes the importance of training employees to not click on unknown links and to be knowledgeable about the dangers of unsecured Wi-Fi connections that allow hackers easier, less noticeable entry into a system.

These points are especially true, he says, for midsized law firms. While larger law firms may have the most total number of hits, midsized firms have a higher percentage of hits given their size and may be the most at risk.

Finally, he adds that an important step is to have conversations about these security concerns. This means not only conversing with corporate clients—many of whom may already have the data, Lancaster stressed—but also with all of the stakeholders within the organization.

Devlin says his firm has taken this to heart. “Fish has a cybersecurity committee that includes our general counsel, attorneys who are cybersecurity experts, and IT leadership. The committee creates policies, promotes security awareness training for all employees, and is quickly made aware of any potential security issues identified by proprietary screening technologies.”

Jones Day

@jonesday.com

2510

2860

Greenberg Traurig

@gtlaw.com

1730

2841

Latham & Watkins

@lw.com

2101

2675

Skadden, Arps, Slate, Meagher & Flom

@skadden.com

1654

2409

Fish & Richardson

@fr.com

345

2229

Norton Rose Fulbright

@nortonrose.com

3461

2103

Reed Smith

@reedsmith.com

1638

2019

K&L Gates

@klgates.com

1952

1966

Holland & Knight

@hklaw.com

1009

1933