Darker Discovery: The Risky Reality of Law Firm Data Exposures

The worst case scenario in discovering a data breach is to stumble upon stolen data offered for sale on the dark—or even public—web. Unfortunately, it’s also an all-too-common occurrence.

For instance, on March 16, 2021, in an underground, Russian-language marketplace and forum called exploit[.]in, the user vasyldn offered for sale data from the following sources:

  • A criminal, divorce and family, and personal injury law firm in North Dakota for $5,000
  • A real estate, personal injury, medical malpractice law firm in New York for $5,000
  • A personal injury law firm in British Columbia (BC), Canada for $5,000
  • A banking/commercial/corporate/financial institutions firm in Virginia for $5,000
  • A personal injury, family law, criminal law, business law firm in Utah for $6,000
  • A civil litigation, estate litigation, personal injury firm in BC, Canada for $5,000
  • A real estate, commercial, business/corporate law firm in Arizona for $6,000
  • A corporate law and litigation, family law, domestic relations, and estate planning firm in West Virginia for $5,000
  • An employer litigation defense and business law firm in California for $8,000
  • A general practice law firm in Indiana for $5,000

It is impossible to determine which law firms these might be, as the descriptions are generic enough to apply to many different firms. There are times, however, when the descriptions include the yearly income of the firm in question, making them much more easily identifiable.

At Relativity, our security team—Calder7—takes a proactive approach in gathering threat intelligence, as well as exploring and probing threats. We mine the dark web and hacker forums like these to better understand the threat landscape and implement preventative measures in advance of an attack. When we come across illicit sales like these, we try to alert any identifiable firm to the issue and ensure they are aware of the situation. Ultimately, though, it’s too late to catch these activities after the fact—and data hacks are far from a victimless crime.

From the IBM’s 2020 Cost of a Data Breach Report, the average time to identify a breach was 228 days and the average time to contain that breach was another 80 days. Speaking in averages helps us understand the overall landscape, but in the legal services industry, some statistics do not paint a fair or accurate picture of the issue.

For example, the average cost per stolen record in a data breach is $150, from the same IBM report. In a law firm, however, a single record lost can cost a multi-million dollar value account and years of hard work gaining clients’ trust. These losses are rarely captured in those kinds of statistics.

So let’s be clear: While reacting quickly to a breach can improve your chances of preserving your reputation and recovering sensitive data, it simply isn’t enough. In cyber health as well as physical, an ounce of prevention is worth more than a pound of cure.

A Brief History of Hacker Forums

Going back to the above examples, it should be noted that exploit[.]in, like many other forums offering illicit access to stolen goods, has been around for many years. It has over 40,000 members to date and continues to grow rapidly. Unfortunately, the forum has been largely unimpeded in the past by law enforcement, who invest much of their focus on drug-related online markets.

Still, security researchers and law enforcement professionals do monitor these forums to spot patterns in criminal behavior and increase awareness of past and future cybersecurity compromises. Only rarely, however, does information about where the stolen data comes from get shared.

The forum has controlled access; outsiders must either pay $100 or prove they are on other closed, related forums to start browsing and participating in conversations. For the most sensitive discussions, there is a VIP section where existing users must personally vouch for a new user before he or she is given access.

In 2016, criminal sellers in the exploit[.]in forum (and others like it) were advertising tools that could defeat all of Microsoft’s security defenses. Today, though, postings are generally about stolen email accounts and access to compromised servers around the world.

Of course, there is no honor among thieves—and, frequently, nothing is delivered once payment has been made via these forums. But some of the advertised commodities are real, and the impact their illicit sales have on human beings around the world is, too.

Your Best Line of Defense

Calder7 is a sophisticated team of product and cyber security specialists guarding Relativity’s software, networks, our customers’ data, our data, and our people. As part of our efforts, we continuously monitor this and other underground forums for any indications of legal services organizations being compromised—and, where possible, we do notified affected organizations of our findings.

But again, notification can only slow the bleeding on a deadly wound to firms who are obligated to protect some of their clients’ most sensitive information. Software vulnerabilities—like the recent string of ProxyLogon issues—remain a leading vector of compromise in computer systems. Being diligent in patching the latest vulnerabilities should be a high-priority item for any organization who wants to get ahead of a potential breach.

Additionally, building a strong security culture goes far beyond having the best security technology controls or most heavily defended data platforms. It’s also a way of thinking about life that keeps security at the forefront of decision making. All organizations are encouraged to build a security culture within their teams. Security is rarely your work product, but it should still be part of every work product.

Remember: The most common cyber attack vectors include compromised credentials, supply chain exposures, malicious insiders, misconfiguration, unpatched vulnerabilities, ransomware, phishing or other social engineering, and a lack of adequate encryption. Especially when large portions of the workforce are remote, a strong culture of security will help ensure your employee’s work environments—in the office and at home—are as safe as possible.

Darian Lewis is a staff engineer within Relativity and the lead threat intelligence analyst in the Calder7 security group. In his role, Darian leads a team in charge of assessing and responding to threats that could impact the security of Relativity's SaaS product, RelativityOne.

Discover the Security Sandbox Podcast