Hackers Breach Law Firms, Including Cravath, Weil Gotshal
Federal investigators explore whether cybercriminals stole confidential information to be used for insider trading
Hackers broke into the computer networks at some of the country’s most prestigious law firms, and federal investigators are exploring whether they stole confidential information for the purpose of insider trading, according to people familiar with the matter.
The firms include Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies in everything from lawsuits to multibillion-dollar merger negotiations.
Other law firms also were breached, the people said, and hackers, in postings on the Internet, are threatening to attack more.
It isn’t clear what information the hackers stole, if any, but the focus of the investigation is on whether confidential data were taken for the purpose of insider trading, according to a person familiar with the matter.
The Manhattan U.S. attorney’s office and Federal Bureau of Investigation are conducting the probe, which began in the past year and is in its early stages, the people said. Representatives for both declined to comment.
Cravath said the incident, which occurred last summer, involved a “limited breach” of its systems and that the firm is “not aware that any of the information that may have been accessed has been used improperly.” The firm said its client confidentiality is sacrosanct and that it is working with law enforcement as well as outside consultants to assess its security.
A spokeswoman for Weil Gotshal declined to comment.
The cyberattacks show what law-enforcement officials have been warning companies about for years. As hacking tools and hackers for hire proliferate in certain corners of the Internet, it has become easier for criminals to breach computer networks as a way to further a range of crimes, from insider trading to identity theft.
In recent years, a number of major retailers have been breached, as was J.P. Morgan Chase & Co., the country’s biggest bank by assets. In those cases, hackers stole data such as credit-card numbers and email addresses that they could use to make fraudulent purchases or entice customers into scams.
The attacks on law firms appear to show thieves scouring the digital landscape for more sophisticated types of information. Law firms are attractive targets because they hold trade secrets and other sensitive information about corporate clients, including details about undisclosed mergers and acquisitions that could be stolen for insider trading.
Hackers often steal large amounts of information indiscriminately and then analyze it later to see how it could be useful, making it difficult to determine early on in these types of investigations whether any information was actually used for insider trading, observers said.
The potential vulnerability of law firms is raising concerns among their clients, who are conducting their own assessments of the firms they hire, according to senior lawyers at a number of firms.
A case last year shows that hackers have gone after sensitive material to fuel illegal trading. In that case, brought by federal prosecutors in New Jersey and Brooklyn, N.Y., hackers in Ukraine allegedly breached newswires companies in the U.S. and stole news releases about corporate earnings before they became public. Stock traders then made lucrative bets based on the releases, prosecutors said. At least three of the defendants have pleaded guilty, and the case is pending.
The federal investigation into the law firms is one of several recent cyber-related incidents that have affected the legal industry.
In February, a posting appeared on an underground Russian website called DarkMoney.cc, in which the person offered to sell his phishing services to other would-be cyberthieves and identified specific law firms as potential targets. In phishing attacks, criminals send emails to employees, masked as legitimate messages, in an effort to learn sensitive information like passwords or account information.
Security firm Flashpoint issued alerts to law firms in January and February about the threats and has acquired a copy of a phishing email that is aimed at law firms, according to a person familiar with the alerts. “It has definitely picked up steam,” this person said.
The FBI also issued an alert in recent weeks that warned law firms about potential attacks, according to people familiar with the alert. The FBI declined to comment.
Law firms said they have double-checked their cybersecurity defenses in response to the posting and raised more awareness about the issue internally. It isn’t clear if the hacker’s efforts have resulted in any breaches. A Flashpoint spokeswoman declined to comment on the alerts.
One senior partner at a top law firm said he often receives suspicious emails from people who pretend to be seeking legal representation. “Law firms are being deluged with attempts to crack their systems,” he said.
Law firms last year formed an information-sharing group to disseminate information about cyberthreats and other vulnerabilities. It is modeled after a similar organization for financial institutions.
So far, 75 law firms have joined the group, said Bill Nelson, chief executive officer of the Financial Services Information Sharing and Analysis Center, which oversees the legal group and similar entities that focus on other industries, such as retail.
One of the trickiest questions for law firms is when they are required to publicly disclose a data breach. Forty-seven U.S. states have their own breach-notification laws, forcing law firms and other companies to navigate a patchwork of different rules.