Over a million stolen e-mail addresses belonging to top 500 law firms in the UK were found dumped on the Dark Web, including 80,000 credentials stolen from select Magic Circle firms.
Stolen credentials found on the Dark Web were obtained by hackers after compromising third-party sites like LinkedIn or Dropbox where employees posted their e-mail addresses.
The stolen credentials were discovered by security firm RepKnight using a specialised Dark Web monitoring tool named BreachAlert. Using the tool, the firm observed the presence of over 1 million e-mail addresses belonging to employees at the top 500 law firms in the UK. As many as 30,000 stolen e-mail addresses on the Dark Web belonged to a single law firm.
According to RepKnight, these e-mail addresses were obtained by cyber criminals by compromising third-party websites like Dropbox and LinkedIn that store sensitive personal information of millions of users. The fact that these credentials were stored on the Dark Web points to the fact that they might be used by hackers to conduct phishing attacks on victims in the near future.
'The top 500 law firms RepKnight analysed almost certainly haven’t done anything wrong cybersecurity-wise, but all it takes for a breach to occur nowadays is for a single employee to accidentally fall for a phishing email or send sensitive data via email accidentally to the wrong person. It’s almost impossible to prevent,' said Patrick Martin, cybersecurity analyst at RepKnight
'The data we found represents the easiest data to find– we just searched on the corporate email domain. A far bigger issue for law firms is data breaches of highly sensitive information about client cases, customer contact information, or employee personal info such as home addresses, medical record and HR files. That’s why – in addition to securing their networks – every firm should be deploying a Dark Web monitoring solution, so they can get alerted to leaks and breaches immediately,' he added.
Even though the revelation has raised eyebrows across the UK, many in the cyber security industry aren't surprised. In March last year, research by AXELOS revealed that despite processing a lot of sensitive data, law firms in the UK were highly vulnerable to cyber-attacks due to lack of appropriate cyber resilience strategies.
By then, as many as 73 of the UK's top 100 law firms were targeted by cyber-attacks, compared to just 45 in 2013-14. 84% of the 73 firms later admitted that they had been victims of phishing attacks as well.
'First, they [law firms] need to assess how they can harden their networks against their critical vulnerabilities, and secondly, they need to educate their people through ongoing, engaging and practical cyber awareness learning. This is the best way to ensure the sector is fully prepared to protect its clients’ most valuable information,' said AXELOS head of cyber resilience Nick Wilding.
According to James Romer, EMEA Chief Security Architect at SecureAuth, the fact that credentials of hundreds of thousands of employees at top law firms in the UK are being easily obtained by hackers 'reinforces the weaknesses of password-based security'.
' Any organisation relying only on passwords and usernames as an authentication protocol is being fundamentally irresponsible. Even two-factor authentication isn’t sufficient as malware and basic phishing attacks can readily be used to extract the one-time-passwords from users and/or devices.
'Modern security depends on adaptive measures that keep hackers guessing. It is important to layer such technology with adaptive authentication methods, such as IP reputation, phone number fraud prevention capabilities or behavioural biometrics. Effective security depends on layers,' he said.