In a grim reminder of how law firms in the UK have become favourite hunting grounds for hackers of late, leading London law firm Anthony Gold Solicitors recently had its email accounts hacked into by unknown hackers.
Hackers hacked into several email accounts of Anthony Gold Solicitors and sent 16,000 phishing emails with malicious attachments to its clients and partners.
As is the case everywhere else, law firms in the UK handle potentially sensitive and highly confidential information on behalf of their clients, and these include details of future mergers, market strategies, board communications and succession plans.
As such, any data breach of their systems can land such confidential data in the hands of unintended, sometimes malicious, recipients. It is thus pertinent for law firms to ensure their employees are cyber-aware at all times and do not fall victim to phishing and spoofing attacks originating via emails.
Cyber criminals not only breach email accounts of law firms to steal sensitive corporate or personal data, but also to use their credibility to conduct malicious phishing and spoofing attacks on thousands of individuals and other firms. The latter option was part of the hackers' plans who breached several of Anthony Gold Solicitors' email accounts on Monday.
David Marshall, the Managing Partner at the firm, said that following the cyber-attack, the firm contacted all those who received the malicious emails and was able to convince them not to open the attachments. The emails in question featured the subject line ‘Action Required – Matter for Attention’ and contained attachments dubbed urgent.
'You may have received an email from an Anthony Gold email address which you were not expecting and/or did not understand. Unfortunately, this was due to a phishing attack on a handful of our email addresses, which were then used to send emails purporting to be on our behalf,' said the firm in its website.
'If you deleted the email straight away, you do not need to take any further action. If, however, you opened the email and entered your personal Microsoft login details, you may wish to change your password as an extra precaution.
'We regularly review our data security practices to ensure the security of our client and contact personal data. We acted swiftly to close down the affected email addresses and mitigate the situation.
'Please accept our apologies for any inconvenience or confusion caused,' the firm added.
According to Peter Wright, the founder of DigitalLawUK, top law firms in the UK continue to remain vulnerable to data breaches and potential infections due to lack of encryption of their servers and emails. At the same time, such firms' IT systems suffer from "haphazard development", lack strategic security plans and have inherent problems.
'For the legal sector to have effective cyber resilience it needs a two-pronged plan of action in adopting best practice,' said AXELOS head of cyber resilience Nick Wilding.
'First, they [law firms] need to assess how they can harden their networks against their critical vulnerabilities, and secondly, they need to educate their people through ongoing, engaging and practical cyber awareness learning. This is the best way to ensure the sector is fully prepared to protect its clients’ most valuable information,' he added.