Hackers are understood to have breached the security systems of at least one major international law firm as a long-predicted cyber espionage scenario has become reality.
Reports from the US say that two magic circle firms were among 48 top firms to be targeted by attackers seeking inside information on mergers and acquisitions.
Security experts have long warned that law firms are seen as a ‘weak link’ in the chain of secrecy surrounding such deals.
New York security firm Flashpoint has issued an alert warning that a Russian cyber criminal had targeted 48 elite firms, including Hogan Lovells, Allen & Overy and Freshfields, to steal information on mergers for insider trading. Flashpoint would not comment on details of the alert, but said it had passed details to the relevant law enforcement authorities.
One of the 48, New York and London firm Cravath Swaine & Moore (pictured) said in a statement last week that its systems had been breached last summer. It said it was ‘not aware that any of the information that may have been accessed has been used improperly’. The firm said it worked closely with law enforcement agencies on the breach, and reinforced its IT systems.
‘Client confidentiality is sacrosanct. We will continue to work to ensure our systems are best in class,’ it said.
Peter Armstrong, cyber director at risk manager Willis Finex Global, told the Gazette that law firms are under a persistent threat from criminals seeking inside information.
He said: ‘Firms aggregate sensitive information, such as on mergers and acquisitions, and so are very high on the target list of both organised criminals and nation states.’
He said the news of the attack shows ‘people are just beginning to wake up to the fact that they are being targeted and they have a problem’.
One of the difficulties, he said, is that some senior partners do not adhere to security policies set out by their firms. As an example, he said that while some firms have policies barring the use of online storage services such as DropBox, partners continue to use them.
Armstrong called on regulators to do more to protect the sector. ‘The regulatory community needs to step up and amplify its focus on generating guidance and developing good practice for law firms,’ he said.
A spokesperson for the Solicitors Regulation Authority said reports of the attacks show firms must assess the systems they have for keeping client information safe.
The spokesperson added: ‘We have raised this numerous times, and we would urge all firms to ensure they have appropriate processes and procedures in place. Any firm which has a data breach that compromises confidential client information has an obligation to let us know.’
Law Society president, Jonathan Smithers, said: ‘The Law Society has worked with the UK government as part of its national cyber-security strategy and with the police to produce advice and training for our members on protecting against these threats.
‘We will continue to do everything we can to raise awareness and provide practical advice to solicitors in firms of all sizes.’