The Panama Papers hack at law firm Mossack Fonseca illustrates three vital points for in-house lawyers and law firms:
· law firms are a prime target for attacking their client organisations (and it is happening widely already)
· in turn, those organisations have some legal responsibility for ensuring their suppliers such as law firms have adequate cybersecurity
· Mossack Fonseca’s cybersecurity vulnerabilities overlap with many that most law firms might have.
Law firms can be a weak point for their clients
Organisations’ law firms – of which Mossack Fonseca is an example (but it’s far from isolated) – can be a soft target to hack into instead of the organisation. Lawyers typically hold valuable, Crown-jewel information. As the Law Society notes, ‘law firms are particularly attractive sources of information’. Why waste time trying to crack into the organisation when the organisation’s law firm holds the information less securely? The Panama Papers illustrate this so well, with their huge reach across many thousands of the law firm’s clients. The hackers would get only a fraction of the information by targeting the clients directly.
Below we outline some of the cybersecurity weaknesses at Mossack Fonseca: weaknesses that many other law firms will have too.
In March, the major New York commercial law firms, Cravaths and Weil Gotschal, reported that they had been hacked (as had many other major US firms). They handle some of the biggest US M&A transactions, litigation and commercial work. They offer insider-trading opportunities for hackers on top of numerous other ways they can use highly sensitive information held by law firms. The range of hackers is wide and it’s not just Russian criminals and the like: the latest major cyber-attack in the UK – the TalkTalk hack – was done by a handful of savvy English teenagers for example.
There are plenty more law firms being hit. In the last few weeks for example, we’ve learned of these incidents (and this is just the tip of the iceberg):
· a sizeable law firm being held to ransom by cyber attackers, and they paid the ransom by bitcoin and
· a fake email from the law firm’s managing partner which led the finance manager at a large law firm to pay funds to a hacker. This is a variant on ‘social engineering’ as a means of cyber-attack, and dealing with social engineering (by staff training, for example) is an important facet of cybersecurity.
Former head of the FBI’s cyber branch in New York, Austin Berglas, recently told The American Lawyer, ‘law firms are traditionally understaffed in cybersecurity, compared with large corporations and banks’.
What the big clients are doing about this
Large organisations increasingly recognise this problem and some require stronger defences by law firms. For example, Bloomberg has reported that ‘Many Wall Street banks, including Bank of America and Merrill Lynch, typically require law firms to fill out up to 20-page questionnaires about their threat detection and network security systems. Some clients are even sending their own security auditors into firms for interviews and inspections.’
Illustrating that dealing with cybersecurity requires teamwork across multiple disciplines – such as ICT, HR, communications, finance, and legal – we’ve asked some experts to comment. First is Michael Wallmannsberger, Chief Information Security Officer (CISO) at Wynyard Group: the CISO role is an increasingly important one in organisations and cybersecurity is central.
Notes Michael Walmannsberger:
‘Information security audit by specialists is one of three foundations of security, without which little else matters. The other two are having clear policies regarding information security and knowing what IT and information assets your organisation has. There are many other important controls too, but they will be ineffective without these three things.
Internal audit, which is about checking that you are complying with your own policy, is necessary to achieve consistent security. It is also an excellent way to communicate to a range of business stakeholders what they are required to do to maintain security for the organisation.’
Organisations have legal responsibility as to their information held by third parties
Many countries put legal duties on organisations to take steps to ensure that their information held by third parties such as suppliers, including law firms, is not placed at undue risk of being hacked. The organisation often cannot just rely on the third party (such as the law firm) to ensure it takes the right steps. For example, data protection regulation might require an organisation to take reasonable steps to ensure that its suppliers have taken steps to protect the organisation’s information in their hands – the Data Protection Act 1998 provides, in sch 1, para 11 (with some refinements as to contracts in paragraph 12):
‘Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle–
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.’
There may also be relevant duties in tort, under law as to confidentiality, and so on. Contract may raise the standards required beyond, say, taking reasonable steps: for example, a contractual commitment to the organisation’s customers promising 100% security – the sort of thing the marketing people may want – could lead to liability even if there hasn’t been negligence. 100% cybersecurity is an impossible nirvana.
Many of the cyber-attacks involving organisations have been made via third parties such as suppliers that are associated with the organisation which is the ultimate target, instead of directly against the organisation.
So the legal duties as to the organisations’ suppliers and other third parties are particularly significant.
In any event, organisations have reputational and financial risk to consider, as to information held or accessible via suppliers such as law firms.
What cybersecurity failure led to the Mossack Fonseca breach?
How Mossack Fonseca was hacked is not yet known, at least outside Mossack Fonseca. It might have been an inside job, but that is still a cybersecurity issue.
However, IT experts have been able to show multiple ways in which the attack could have been facilitated by Mossack Fonseca’s weaknesses. Many law firms will have similar (or the same) applications and problems. Mossack Fonseca is not an outlier by any means.
Continuing the focus on inter-disciplinary expertise and teamwork, which we think is so important in this area, we’ve sought advice from Peter Bailey, GM at Aura Information Security, a specialist cybersecurity firm that does, among other things, the cybersecurity risk audits which is best practice for organisations. This includes penetration testing, the process by which Aura takes steps such as trying to hack into the organisation, eg through firewalls and by social engineering.
Says Peter Bailey:
‘It seems that Mossack Fonseca were running extremely out of date software. One of the means the perpetrators could have used to gain entry from an external starting point into the internal network, was through a vulnerability in the website that could be three years out of date. It appears that the problem is systemic and that the infrastructure was riddled with critically out-of-date software.
If you put a server on the Internet, it will be attacked. Full Stop.’
Here’s an example of how this problem arises. Many law firms have content management software. Mossack Fonseca uses Drupal, which is a widely used open source programme. In fact, open source is a major part of many apps that law firms use, including some proprietary software, so it is a big part of cybersecurity risk.
Lawyers will be familiar with the patches that pop up frequently on their computers to update proprietary software such as Microsoft and Acrobat. Or the computer informs the user that the updates have been done automatically (hence the frequent pop up notice requiring rebooting). Often these fix security vulnerabilities on top of improving functionality. The fact that users are reminded to do the updates via the pop-up makes it much more likely that the vulnerabilities to attack are minimised. Open source software, however, generally doesn’t send out automatic updates. Law firms have to proactively add the patches.
Where this doesn’t happen – it didn’t at Mossack Fonseca – the law firm can have significant vulnerability to attack. For example, Mossack Fonseca’s version of Drupal had at least 25 security vulnerabilities, known about since 2013 and for which there were patches.
Here’s what Forbes said when reporting on the Panama Papers breach:
‘Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 [which is the version that Mossack Fonseca used] within seven hours of its release should have assumed they’d been hacked.’
As we note above, Mossack Fonseca is far from being an outlier. This is the sort of failing that penetration testing is designed to uncover. As Peter Bailey says:
‘This is a common problem for companies, and one we often see when we penetration test websites for a number of organisations, both small and large. Again, regular security testing of your system is important, to look for any other gaps, flaws or even incorrect settings.’
Moving to another problem at Mossack Fonseca, Peter notes their poorly architected and implemented network infrastructure:
‘The security of your network infrastructure is incredibly important – ensuring that you have the right hardware and software in place to adequately protect your information. In this case, it was reported that possibly the Mossack Fonseca server was not behind a firewall. It is baffling why that is so, since having a firewall in front of an organisation network is pretty much standard everywhere else.
A properly configured firewall provides a good degree of security on your network. A set of predetermined security rules run in the firewall, and monitor and control incoming and outgoing traffic. If anything looks like it doesn’t belong, based on the rules, then it will be blocked. If you are not using a firewall on your own network, then you are opening yourself up to a number of network attacks.’
Another apparent vulnerability at Mossack Fonseca is what appears to be the absence of Data Loss Protection (DLP) software. DLP detects potential data breaches and abnormal transmissions, and prevents them by monitoring, detecting and blocking sensitive data and transmissions. While it won’t always work, the massive amount of data being taken here may well have triggered a DLP to block its removal.
In summary, Peter Bailey observes:
‘Truth be told, security implementation is not easy. There are often so many various elements to consider and so many assets to protect. Weakness in any of them would potentially result in a breach. Consider engaging professionals to conduct a regular penetration testing to probe and evaluate the current implementation to identify gaps and weaknesses that might otherwise not be obvious to the organisation.’
The cost of cybersecurity inaction
The Panama Papers fallout provides a glimpse of what can happen when organisations are compromised through the cyber vulnerabilities of their third-party suppliers, including law firms. Given that organisations are increasingly recognising (and are legally obliged to address) the issue of third-party cybersecurity, the experience of Mossack Fonseca provides a powerful wake up call for in-house lawyers and law firms.
The final word goes to Peter Bailey: ‘Security is costly. But can you afford not to?’
Michael Wigley and James Young-Drew are Principal and Solicitor, respectively, at Wigley & Company, a law firm based in Wellington, New Zealand: http://www.wigleylaw.com/
