Remember the Panama Papers hack? 11 million documents stolen causing one Prime Minister to resign and another to be fired? If not, check out an old post here . That hack caused the law firm of Mossack Fonseca to go out of business.
We it seems that some other firms may be on the wrong end of the hacker’s mouse pointer.
The hacking group The Dark Overlord claims to have hacked law firms handling September 11th litigation and has stolen tens of thousands of documents. It is believed that there are two law firms involved: Hiscox Syndishares Ltd and Lloyds of London. The group claims to have hundreds of gigabytes of documents.
They say the data stolen includes emails, retainer agreements, litigation strategies, liability analytics, expert witness testimony and conversations with the FBI, DoJ and DoD, among other stuff.
They claim that at least one law firm paid the initial ransom but then violated the terms of service by bringing in the police. Now they want more ransom.
The hackers claim to be shopping the data on the dark web.
However, they are very kind. They say that if you are working with this law firm and you don’t want your stuff released, contact them, pay them a separate ransom and they won’t release your stuff.
You have to admit that it is pretty entrepreneurial.
This is the same group that stole the unaired episodes of Orange is the New Black, threatened to publish the plastic surgery files and photos of the rich and the famous and even threatened to physically harm school children, sending school districts and parents copies of stolen information on the kids. Not necessarily a nice bunch.
The cops did arrest a Serbian who, they claimed, was associated with the group, but that apparently hasn’t stopped them.
What does this mean for you?
One challenge is that no law firm has admitted to the breach or paying the ransom, but if you believe that Hiscox and Lloyds were the targets and you are a client of theirs, you might want to start thinking about damage control.
It does appear that these folks are pretty mercenary, so if the law firms pay up, maybe they won’t release anything.
If they do release documents, there is the prospect of collateral damage. Maybe they will very selectively release documents, but more than likely, since they say they will bury the law firms, they will be less than selective. In which case, collateral damage is likely.
Now would be a good time to look at your agreements with your various law firms, no matter who they are.
On the other hand, if you are a law firm, now would be a good time to review your security practices.
Is there anything in writing about cybersecurity requirements?
What about liability for damages if they get hacked?
Do they have to provide annual third party certification of their cybersecurity practices?
Are they even required to notify you if your stuff is compromised? (Note that in many cases, the law does not require that).
And, of course, you are dealing with lawyers. If it is not in writing it will be hard to impossible to enforce.
If cybersecurity requirements are missing, now might be a good time to review and amend your agreement. In many cases you can switch law firms at any time since it is extremely rare to have any kind of exclusivity with law firms. Even if there is current litigation, you could leave that with the existing firm and move new business to a new firm.
If the firms say that you should trust them, tell them that you do. And you still want it in writing. Trust, but verify, so to speak.
One thing that we do not know – how many other firms have been hacked and have not said anything about it? Think about reviewing and changing your law firm agreements as insurance.
Information for this post came from SC Magazine.