An organization’s data security is only as strong as its weakest partner. When Target was hacked in 2013, exposing millions of customers’ names and credit card numbers—and costing the retailer hundreds of millions of dollars—it turned out that the hackers gained access through one of the company’s HVAC vendors. The hackers traveled from Target’s AC supplier to its point-of-sale machines, at a cost of $292 million and counting.
While many law firms have been criticized, often justifiably, for lagging on cybersecurity, a third-party partner with poor security practices can endanger even the most secure law firms—HVAC system or not.
Take, for example, a major law firm data breach recently revealed by the infosec firm TurgenSec, and reported by Legaltech News and the Financial Times. The breach left sensitive data from 193 law firms exposed. Information including hashed passwords, confidential documents, and even passport numbers and eye colors, TurgenSec says, was unprotected, “accessible to anyone with a browser and internet connection”—if they knew where to look. And unlike Target’s misfortune, this breach doesn’t appear to have been caused by malicious outsiders, but simply lax security practices.
The unsecured database belonged to Advanced, one of the largest software companies in the UK, the Financial Times reports. Additionally, the law firms contacted by TurgenSec indicate that the released data came from Laserforms Hub, online legal forms product offered by the software company.
"The breach left sensitive data 'accessible to anyone with a browser and internet connection'—if they knew where to look."
TurgenSec lists the nearly 200 law firms whose data was exposed in the breach, including 45 firms with both “primary” and “form” data exposed. Primary data included categories such as user names, ids, and hashed passwords, while form data covered information such as authentication codes, company details, and service charges. The impacted firms span the gamut from the largest law firms it the world to small boutique practices.
The law firms’ breached data “appears to contain information relating to the staff of legal firms, and in some cases, potentially sensitive data relating to authentication on behalf of clients,” according to TurgenSec.
However, Advanced’s Director of Security and Compliance, Justin Young, said that most of the information was already public record and none of the exposed information is “deemed sensitive or special category under current legislation.”
“Our detailed analysis, based on our own review and on input from the supplier, has confirmed the discernible data from the firm was limited and historic and only partially visible,” Young asserts. “Any client data was already a matter of public record and no longer private or confidential.”
Whether the law firms who find themselves on TurgenSec’s list of exposed organizations—or the client’s whose data those law firms possessed—take comfort in those assurances remains to be seen.
The database data breach is just another in a long and growing list of law firm security incidents. In 2020 alone, the industry has seen a major alternative legal services provider shuttered for nearly a month by ransomware attacks, while several law firms have seen their data exfiltrated, held for ransom, then leaked to the public—including sensitive client medical records.
Law firms on their own are hubs of incredibly sensitive data, drawing together information from dozens or hundreds of high-profile organizations that would be difficult to target individually. Access that data through a law firm, though, and you’ve potentially cracked dozens of vaults at once.
Discovery platforms are even more sensitive. They contain not only data worth consulting a lawyer over, but data worth litigating over—and data that’s been culled, organized, and refined.
Discovery data is an incredible target for hackers and incredibly damaging if breached. And such breaches are likely occurring with some frequency. As Lael Andara, litigation partner at Ropers Majeski, has said, “The reality is that it’s already happening. We just haven't necessarily identified the hacks.”
"Given the sensitivity of the data legal professionals routinely handle, cybersecurity can’t be an afterthought."
Lawyers and eDiscovery professionals need to make cybersecurity a central part of their approach to litigation. Yet, far too often, such concerns are secondary at best. Glance through your eDiscovery deskbooks, ABA publications, or litigation references—if you can find a substantive discussion of cybersecurity in the eDiscovery process, let us know. Our search, albeit cursory, of eDiscovery treatises available on Bloomberg Law turned up a total of two references to cybersecurity. Two. Across thousands of pages of discovery guidance.
Given the sensitivity of the data legal professionals routinely handle, cybersecurity can’t be an afterthought.
If you don’t know how your data is being treated, or what protections and protocols your tools provide, find out. Don’t let your HVAC provider, or your discovery software, be the weak link.
Discovery is a risky process, but it doesn’t have to be. While using vendors requires you to ship data and hope that it gets to its recipient, data uploaded to Logikcull is encrypted instantly, scanned for viruses, and stored safely in our virtual private cloud. Learn more here.