Remember the story about Willie Sutton, the bank robber? He was asked, “Why do you rob banks?” He allegedly answered, “Because that’s where the money is.”

Why do cyberthieves target law firms? The answer is as straightforward as Sutton’s: Because that is where there is a wealth of valuable data.

That’s why cyberattacks within the legal industry are becoming quite common. The 2017 Legal Technology Survey reported that 22% of surveyed law firm respondents suffered a security breach at their firm. Below are some of the actors and motives we’ve seen in recent compromises:

State Actors

Hackers backed by the Iranian government compromised a law firm (along with universities and government agencies) in an effort to steal data and intellectual property. State actors have the budgets and time to go “low and slow” to obtain what they want. With those resources and patience, they can be relentless.

  • What to consider: Have you plugged your major security vulnerabilities? Do you have an education program in place to train your staff about phishing and other types of attack vectors? Do you continuously monitor your environment to catch the “low and slow” threats?


Does the name Mossack Fonseca ring bells?  It was the Panamanian law firm that gained renown through the Panama Papers leak, where hacktivists gained access to tax shelter documents used to skirt tax laws.

  • Interesting fact: Mossack Fonseca subsequently closed its doors due to “reputational deterioration.”
  • What to consider: If your law firm has controversial or unpopular clients, you may have a target on your back.

Criminal Gangs, Insider Trading, and Profit Motive

Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP are white-shoe law firms in New York City that were breached to obtain confidential information for insider trading purposes. These particular hackers were reported to be Chinese, and three of them made $4M trading on inside information.

  • What to consider: Bad guys exfiltrated data from compromised systems in this hack. Can your firm correlate logs from multiple sources to locate and isolate compromised systems? Given the cost to build a SIEM and operate a security operations center (SOC) for this purpose, think about SOC-as-a-service.

Ransomware and (Illicit) Profit Motive

Law firms are similar to every other business in that they suffer from malware and, in particular, ransomware.  The posterchild firm for this is DLA Piper, which experienced a ransomware attack so devastating that it brought its entire IT operations to a standstill. Lawyers and staff rely on IT to do most of their work. Having no IT systems available means no, or drastically reduced billable hours. In dollar figures, the costs at DLA Piper were reported to be “in the millions.”

  • What to consider: You may have enough layers of protection, but how do you monitor your security tools and detect what inevitably slips through?

Law firms face a threat environment with a lot of bad guys with various motives. The bad guys only have to get it right once to compromise a firm. And they are getting it right far too often. As a result, we see a lot of interest in the legal community for vulnerability scanning and 24/7 security monitoring to meet the vendor risk requirements of law firm clients. For more, check out our white paper to learn how your firm can protect against the top five cyberattacks by clicking on the banner below: