More than one million credentials of staff at top-500 law firms in the UK have been found for sale on the so-called ‘dark web’, according to security software company RepKnight.
The company claims that the cache of compromised credentials includes 30,000 from the largest firm, and nearly 80,000 from firms in the legal sector’s so-called ‘magic circle’ of the very biggest law firms.
However, many of these credentials may not have been purloined directly from the law firms, but from third-party security breaches, such as the LinkedIn social networking breach.
“Almost all of the credentials were from third-party breaches, where a corporate email address had been used on a site like LinkedIn or Dropbox, and that site was subsequently compromised. Worryingly, 80% of these email addresses featured in breaches which also contained passwords – often in plaintext,” the company warned.
It continued: “Cybercriminals could potentially use these password to gain access to other private data, like employees’ online banking or social media, via ‘credential stuffing’ or spear phishing attacks, because more than 80 per cent of people tend to re-use their password.”
The company claimed that it used one of its own proprietary monitoring tools, called BreachAlert, to uncover the exposed emails.
“The data we found represents the easiest data to find- we just searched on the corporate email domain. A far bigger issue for law firms is data breaches of highly sensitive information about client cases, customer contact information, or employee personal info such as home addresses, medical record and HR files,” said RepKnight cybersecurity analyst Patrick Martin.
The company not surprisingly suggested that every organisation should adopt dark-web scanning tools as a means of identifying risks as well as, perhaps, whether they have been compromised as well. Two-factor authentication, especially for employees in sensitive roles, ought also be considered.
Law firms are routinely targeted by scammers because they handle money, such as transfers during property sales and purchases. There have been a series of scams involving attackers either compromising either the lawyer or their client in order to persuade one of the parties to transfer large sums of money to accounts controlled by the attackers.
While insecure, email is typically the preferred method of contact for lawyers communicating with clients, despite being urged to send important correspondence by post, rather than email.
Save this article