In March, Microsoft announced that it had been hacked. Or rather, that more than 30,000 of its customers had been—likely including hundreds if not thousands of law firms. A cyberespionage group backed by the Chinese government had found a way to exploit four vulnerabilities in outdated Microsoft Exchange Server email software. According to journalist and cybersecurity expert Brian Krebs, once the hackers had access to the email systems, they were able to “seed hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.”
Logikcull CEO and Co-Founder Andy Wilson recently sat down for a roundtable discussion organized by Law Practice Today and the ABA’s Law Practice Management Division on the impacts of the Microsoft Exchange Server hack and what it can tell us about cyber risks (and responsibilities) for the legal industry. He was joined by Clinton Sanko, shareholder and eDiscovery officer at Baker Donelson, Natalie Shkolnik, partner at Wilk Auslander, Jake Bernstein, partner at K&L Gates, and Eli Wald, professor of legal ethics at the University of Denver Sturm College of Law.
Highlights from the conversation follow, though you’ll want to read the full conversation in the ABA's Law Practice Today.
Andy Wilson: Hackers don’t want your password. They don’t want to take over your Mom’s Facebook account. They don’t care too much about the spam in your inbox. What they want is money—and to a lesser extent, in the case of nation-state hackers like those suspected to be behind the Microsoft hack—they want your secrets.
Law firms are a one-stop-shop for that incredibly valuable data. They manage mergers and acquisitions across dozens of clients; they help protect some of the most valuable intellectual property in the world, and they advise on incredibly sensitive information for incredibly deep-pocketed clients.
Instead of going after individual organizations for that information, which are always more robustly protected, law firms’ databases provide access to sensitive files from hundreds, if not thousands, of clients.
“Hackers don’t want your password. They want money, and to a lesser extent, they want your secrets. Law firms are a one-stop-shop for that data.”
That’s not just hypothetical. We see it happen over and over, whether through phishing partners’ email accounts, brute force cyber attacks, or simple human error that leaves sensitive information exposed.
Jake Bernstein: The Hafnium attack—widely attributed to a Chinese cyber espionage military unit—perpetrated against Microsoft Exchange Server exploited a number of newly discovered flaws in on-premise Exchange servers.
“Any documents or communications made with affected law firms could be sold on the dark web to almost anyone.”
In many states, that is enough to constitute a data breach, even without proof of exfiltration. Worse, Hafnium quite likely affected a disproportionate number of large law firms simply because many have yet to make the transition to a cloud-based email infrastructure.
The fact is that email security is hard and doing it “at scale” is extremely difficult. This hack essentially means that any documents or communications made with affected law firms could have been intercepted and copied by threat actors and then sold on the dark web to almost anyone. Businesses who rely on email to communicate with outside law firms must pay attention to whether a law firm has modernized its email infrastructure or, at minimum, prepare to ask some tough questions about their law firms’ security.
Andy Wilson: First, stop blindly trusting law firms to protect your data for you. We see corporate clients putting vendors and software companies through the security wringer on a daily basis to ensure they have the right certifications, the most robust protections, and more. But we almost never see them demanding the same of their law firms. Why?
Second, try not to hand your data over to law firms at all. You can own the platforms your data lives in, and therefore own the protections it’s given.
“First, stop blindly trusting law firms to protect your data for you. Second, try not hand your data over to law firms at all.”
Eli Wald: The Microsoft data breach should not cause reasonable corporate clients to lose faith in reputable third-party providers’ and businesses’ ability to protect their sensitive data. It should, however, lead clients to insist that businesses they use (law firms included) only use reputable and cyber-savvy third-party providers, that businesses they use put in place reasonable cybersecurity plans to both minimize the probability of successful hacks and effectively respond to them promptly when they do occur.
Clinton Sanko: Throughout the course of litigation, corporate clients should consider their strategy for protecting their data. The strategy should begin with preservation and continue through production and decommissioning.
This almost always involves partnering with experienced eDiscovery providers. Oftentimes, these decisions are left in the hands of the trial lawyer who was chosen for their substantive or industry expertise.