New Zealand Law Society

Navigation menu

Stolen law firm information circulates in dark web

01 February 2018 - By Angharad O'Flynn

Around 1.6 million hacked, leaked, or stolen email addresses and credentials from the United Kingdom's top 500 law firms are circulating online in the dark web.

RepKnight, a cybersecurity company based in London and Belfast, says it uncovered the firm credentials while doing research for its White Paper Securing the Law Firm: Dark Web footprint analysis of 500 UK law firms.

How it happened

The analysis explains that credentials were exposed through “third party breaches”, and were not the fault of the law firms.

A “third party breach” is where a data breach happens from using other websites or systems unconnected to the law firm, where employees have signed up using their work email address.

Where the information was found

Most importantly, every single Top 500 law firm had, at the very least, one credential dumped onto the Dark Web and/or dump/pasting sites - 75,189 credentials from the Magic Circle firms alone.

The Dark Web, simplified, is a collection of thousands of websites that use anonymity tools and it is not easily accessible – you can’t find it in Google, you need special software. The people trawling the Dark Web tend to know their way around cybersecurity and have an in-depth knowledge on how cybersecurity works.

Dump/Pasting websitesare used to store plain text. They are a favourite of hackers who want to mass-dump hacked user credentials anonymously and content is freely available to anyone who knows where to look for it and information can be taken repeatedly by different users.

“With many law firms publishing contact email addresses for their partners and staff on their website, it’s relatively easy for spammers and cybercriminals to get an email address,” explains RepKnight’s White Paper.

"Every exposed email address puts that member of staff at significant risk of phishing attacks and impersonation attempts, as well as the constant plague of spam and malware."

As we have seen with several large law firms over the past few years, hackers are developing more advanced phishing and scamming tactics and law firms are a favourite target due to their clientele.

Money doesn’t always buy you the best protection if you don’t know what you need to protect.

Prevention
Education

While law firms are putting a lot of money into their in-house networks, a lot of cybersecurity companies now recommend that firms begin looking after both in-house network and all data stored on internal and external sites; websites where you have your staff’s contact details available is an obvious example.

Your corporate emails are easily found. RepKnight only needed to type for the email domain of a law firm to locate it, so educating staff is incredibly important.

Thoroughly explain how this works

Hammer this home.

If you sign up to a third-party website, there is a chance your details will be sold on by the website; this means that your email and password credentials can be dumped on pasting sites; hackers and scammers use pasting websites to trawl for easy credentials; your firm gets scammed/hacked/information is leaked accidentally.

Automated breach alert systems

These can monitor search terms and can instantly alert you should those search terms - your work credentials - appear online.

Watermarking

Not in the traditional sense. For additional security, we strongly advocate adding “watermarks” to your in-house data sets – these are additional entries which can act as markers if the database is leaked.

Fingerprinting

Data sets can also be “fingerprinted” to extract unique characteristics which identify the data as belonging to you – again, these fingerprints can be used as search terms to alert you to a possible hack or breach.

There are specialists who can come in and explain things, or you can send managers on courses and have them relay the information. It's best not to struggle along if you're unsure.

And if this article has made you re-think whether your security is strong enough, assume it's not, and review it immediately.

Last updated on the 1st February 2018