Eurojuris Magazine

Back

After Ashley Madison: what are the risks of data theft for lawyers?

After Ashley Madison: what are the risks of data theft for lawyers?

The recent meltdown caused by the stealing of data from the infamous Ashley Madison website needs another point of view: that of a law professional! 

The Ashley Madison case has attracted a lot of attention, some of which comes from the British members of the LawNet network. One of them, Mario Savvides, of lawfirm Grant Saw Solicitors, has published on his firm's website a paper entitled Hot dates and hot data, that has been passed around the network to remind lawyers of the the risks that the Ashley Madison affair exemplifies.

'I head up the IT at Grant Saw with one of my partners, Mike Clary', Mario explains, 'so I was especially interested in this paper and this case. I have given training to my staff about the importance of data protection.'

Mario says hacking is changing. 'Traditionally, hacking is the manipulation of weaknesses in computer systems to access private data and possibly corrupt your files. Antivirus technology appears to have improved considerably over the years increasing the safety and security of  businesses’ IT infrastructure to the extent that most such attacks are now preventable. Hackers have had to become more sophisticated and employ new methods to infiltrate protected computer systems. Rather than target weaknesses in computer systems to plant their viruses, they are now increasingly using a form of social hacking by targeting human beings, i.e. innocent members of your staff to smuggle in the virus.'

Hackers may actually target law firms in particular because they host valuable data about their clients. 'They do their research, find out as much useful information about the company as they can, for example, by looking at the “Our People” section of your website,  to learn the name and contact details of your employees, what they specialise in, how to contact them etc. They then make contact with that member of staff as though they have a genuine business interest in your firm. One example is the sending of an e-mail purportedly from a real client attaching to it a document which, on the face of it, seems like a legitimate document the type of which that member of staff is likely to receive on a regular basis in his or her capacity as a lawyer or secretary in their given field of law. Of course, when the file is opened, a virus is contained within and gives access to everything on the system which that particular member of staff has access to.'

Mario insists that law firms should make special efforts to train their employees to recognise such risks. 'You need procedures in place,' he says. 'You must train your staff so they know when to be aware of possible threats and not fall in to these traps. Businesses can lose thousands of pounds just by handing over one piece of information too much during a telephone conversation! We are hearing stories of the most outrageous methods employed to trick staff members in to handing over information.  In a recent case, a call was made to a firm and the caller asked the receptionist for the name of the accounts manager. When put through to the accounts manager the caller claimed to be calling from the firm’s bank and called him by his name, making the call seem all the more legitimate.  They alleged there was an issue with suspicious activity on the account, ran through a few security questions to further legitimise the call and once the accounts team were convinced it was a genuine call from the bank, persuaded the accounts team to shut down monitors until further notice. As I understand it, that's when they started the real hacking! If memory serves correctly, the hackers successfully made three transfers of 70,000 pounds out of the firm’s account. It was only when they attempted a fourth transfer of £700,000.00 that the real bank was alerted and further transfers were prevented.'

The biggest risk today seems to be less of a highly advanced technological ruse, but rather the simple tricking of people sitting behind a computer. 'Manipulating people into opening infected attachments, putting a memory stick into their computer or simply giving too much information on the telephone seems to be  the biggest risk to businesses with modern day hacking', concludes Mario. Thus, the training the human being is also your best defence. If there is anything to learn from the Ashley Madison affair, it is to train yourself  and your staff to identify dangers and thereby avert them.

Is your law firm not yet a Eurojuris member?

Contact us!