Last week, the Fifth Circuit upheld the conviction and sentencing of Anastasio Laoutaris, who was accused of hacking into the computers of an Am Law 100 firm resulting in over a million dollars’ worth of damage. In 2016, Laoutaris was sentenced to 115 months imprisonment and ordered to pay $1,697,800 in restitution for two violations of the Computer Fraud and Abuse Act that shut down hundreds of computers and accounts at Locke Lord LLP.
But Laoutaris wasn’t your made-for-TV hacker: He was no anarchist computer-whiz teenager, no member of a Russian cyber-extortion collective, no government-backed computer espionage expert. He was a Senior Systems Engineer who had spent five years with the firm before he was accused of high-tech and extremely expensive corporate sabotage.
Laoutaris’s story reminds us that, for all the focus on malicious outsiders, some of the greatest threats to law firm data security come from within the firm itself.
Former Big Law IT Engineer Hacks Firm
For five years, Laoutaris worked as a Senior Systems Engineer for Locke Lord, the international, 800-attorney firm based out of Dallas. Then, in 2011, the IT engineer and the firm parted ways. Two years after his departure, Laoutaris was indicted on three counts of felony hacking, violations of the CFAA. The CFAA, q Reagan-era anti-hacking statute inspired by the Matthew Broderick and Ally Sheedy film WarGames (really), creates criminal and civil penalties for “unauthorized access” to virtually any computer system.
According to the government, four months after he left Locke Lord, Laoutaris returned, at least to the company’s internal network. The government accused Laoutaris of twice accessing the firm’s network without authorization and “knowingly caus[ing] the transmission of a computer program, code, and command,” which damaged Locke Lord’s computers.
The first malicious code transmission, according to the original indictment, “impaired the integrity and availability of 18 administrator accounts, 356 computer, and 359 user accounts,” as well as the data associated with those accounts. The second impacted 105 server accounts and 140 computers. The third transmission shut down all email accounts at Locke Lord’s Dallas headquarters. A later, superseding indictment removed many of these details and reduced the charges to two counts of computer intrusion causing damage.
Though there are few details on just what sort of damage Laoutaris inflicted, and just how he inflicted it, the impact seems to have been severe: A forensic account estimated that the damage caused by the hacking resulted in $1,461,910 in lost revenue, though a spokesperson for the firm said that client information was never compromised by the attack.
A jury convicted Laoutaris of two felony CFAA violations and he was later sentenced to over nine years imprisonment. The Fifth Circuit upheld both his sentence and conviction last week.
In a brief, four-page opinion, the three-judge panel rejected Laoutaris’s arguments that there was insufficient evidence that he had accessed Lord Locke’s network and caused damage. “Contrary to his assertions,” the court explained in its unpublished, per-curiam decision, “there was ample circumstantial evidence identifying him as the perpetrator of these offenses.” The court similarly rejected his arguments that the sentencing court erred in applying an obstruction-of-justice sentencing enhancement and including Lord Locke’s lost revenues in its calculation of actual losses. The court’s obstruction finding was plausible, the court determined, while the lost revenue calculation was, “at the very least, a reasonable estimate of the amount of lost revenue”.
Security Threats: Here, There, and Everywhere
Of course, Laoutaris isn’t the first person to have hacked into a law firm’s network. In 2016, the Department of Justice indicted three Chinese traders who broke into the emails of major law firms, using the information gained from their M&A practices to make millions on insider trading. That same year, Oleras, a Russian hacker, targeted dozens of major firms, seeking out lawyers whose vanity might make them susceptible to hacking. Then, last summer, a ransomware attack shuttered DLA Piper for days, likely resulting in several million dollars of lost revenue.
It’s not just the Am Law 100 who are targeted by cybervillians, either. Cybercriminals, from hackers to email scammers, have gone after legal professionals of all stripes, from a major settlement administration company to a solo practitioner with a Yahoo email account.
Such attacks are a constant reminder that attorneys need to remain vigilant when it comes to cybersecurity. Legal professionals, after all, have access to some of their clients most valuable information, from corporate secrets, to insider information, to settlement guidelines. It’s a virtual treasure trove of valuable data—one that, if poorly guarded, could result in a disastrous breach.
But Laoutaris’s story stands out, too, because it highlights the risk not just from outside bad actors, but from those within an organization, including current insiders and disgruntled ex-employees. Insider data theft and privilege misuse is behind 15 percent of all data breaches, according to the 2017 Verizon data breach report.
And when insiders turn into outsiders—that is, when employees leave a firm—they can often still wreak havoc with their former employers’ systems. According to a 2017 survey of 500 IT security professionals conducted by OneLogin, an identity management company, more than 50 percent of companies allowed ex-employees to access corporate accounts after their departure. Over half of the respondents took more than a day to lock ex-employees out of their systems, while 25 percent took over a week. This isn’t without consequence. Twenty percent of respondents reported that “failure to deprovision employees from corporate applications” had contributed to a subsequent data breach.
Law firms looking to protect themselves have several options at their disposal. A security information and event management (SIEM) system can help detect threats to corporate networks and potential red flags in employee behavior. A secure platform for your most sensitive information, one which limits transfer points and encrypts data in motion and at rest, can provide essential protection when dealing with client data. Even something as simple as encrypted email and two-factor authentication can offer significant improvements to your security.
As Laoutaris’s story reminds us, threats against law firm security can come from anywhere. The best defense is to take precautions before anything goes wrong.
This post was authored by Casey C. Sullivan, Esq., who leads education and awareness efforts at Logikcull. You can reach him at firstname.lastname@example.org or on Twitter at @caseycsull.