I wrote a while back about hackers that had compromised a law firm and its customer Hiscox insurance – or said differently Hiscox and its vendor. The law firm was handling claims related to 9/11 (almost 20 years later and still litigating!).
A lot of law firms (certainly not all) have not figured out that they are a high value target for hackers because of all of the customer data that they have.
The hackers broke into the law firm and stole tens of thousands of claims documents and emails. Stuff that Hiscox’s clients probably did not want to be public.
Then the hackers tried to extort Hiscox and the law firm.
Apparently that didn’t work.
The hackers had distributed three encrypted blobs after the extortion became public a couple of months ago.
Now the hackers have released another encryption key. This time it exposed about 8,000 emails – about 5 gigabytes of stuff. That means a lot of attachments, otherwise 8,000 emails would be a lot smaller.
Since the hackers are dribbling out these encryption keys they may be still trying to extort the law firm and Hiscox, but each one of these data dumps makes things worse for them.
Hiscox’s story was “it wasn’t us” meaning that the hackers didn’t break into the insurance carrier, but, you know what, when it comes to lawsuits, Hiscox’s customers are going to say that they gave the documents to Hiscox; if they gave it to someone else, that is Hiscox’ problem, not theirs. And, I think, the courts are likely to agree.
And, Hiscox added, once they learned about the breach, they informed the policy holders.
I’m guessing that the insureds are going to say that Hiscox had a fiduciary responsibility to protect the data that they shared and that responsibility can’t be waived.
Given that this is 18 years after 9/11, those suits still being litigated are probably big dollar claims. I hope Hiscox has a lot of insurance because I can’t imagine they are not going to be sued.
Okay, so what is the implication to you?
At all levels here, we are talking about a vendor cyber risk management (VCRM). Between Hiscox’s clients and Hiscox and between Hiscox and its vendors. There will be lawsuits over that.
The second issue is the security at the law firm. Apparently not so good. How good is the security at the law firm that you use? Even though you might be able to sue them after a breach, that doesn’t really solve the problem.
Now there is a big mess. Who gets to pay for the cleanup? Look at the agreements that everyone signed. My guess is that the law firm wrote something in the contract that said they were not responsible. Assuming Hiscox accepted such language.
Did the law firm have cyber risk insurance? If not, can they write a check for $10 or $100 million out of their checking account? If not, they file for BK and walk away, leaving the customer holding the bag.
YOU, as the customer, need to make sure that everyone has their ducks in a row. To quote a sign I saw yesterday:
I don’t have ducks
I don’t have a row
I have squirrels
And they are drunk
Information for this post came from Motherboard.