With all the fuss about cyber breaches and data security, a number of you have asked, “Why do you keep tweeting about law firm data. Why is my data important to a hacker?” The easy answer – it’s not important. It’s a gold mine.
To understand why, let’s back up and talk about a buzzword that many use but few truly understand: The Dark Net (or the Dark Web, or Tor). Sounds scary, right? It is. And here’s why.
Imagine for a moment that you are working from home and you need to access a document located within your firm’s perimeter. If I were to ask you how to do that, you’d likely reply, “VPN,” and you’d be correct. VPN allows you to connect to your workplace and access resources you’d otherwise not be able to access.
In an over-simplified way, that also describes the Dark Net. The Dark Net is made up of hundreds of thousands of “invisible” websites and forums that are only accessible through VPN-style software. But that software doesn’t just get you into the “dark web” – it enables you to browse anonymously by running your connection to the network through hundreds of other computers and hiding who you are and where you are located. You don’t have to worry about being tracked. It’s practically anonymous.
In other words, technology has taken the Information Super Highway and created a secret tunnel where GPS signal is lost. Criminals can travel through the tunnels, offering and advertising illegal services, and without the aid of tracking, there’s not a lot that law enforcement can do.
So now that we’ve had a crash course on the “Dark Net”, let’s go back to the gold mine. Why is a law firm’s data so important to these thieves?
I was recently doing research on the “Dark Net” and came across a forum that read: “$200,000 bitcoin M/A, IP, pre-investigation”.
Let’s translate that: Someone was willing to pay $200,000 in crypto currency to an individual who can provide information on M&A, IP, or pre-investigation data. Where can you find that a wide variety of that kind of information without a very specific target list? That’s right – Law Firms: “The Holy Grail” of information about the world’s enterprises.
Most companies use outside counsel in all of these types of matters. If a hacker finds information on an M&A transaction, and they know that the stock in that company would go up based on the deal, they can get in early and profit tremendously. On the flip side, they could use the information to help sabotage a pending deal.
The same goes with pre-investigation actions. If a hacker can gain information on a pending regulatory investigation and they have an opportunity to “short” the stock on that company, the rewards could be lucrative.
But that’s not all. Class action firms hold PII from the entire class. Social Security numbers, dates of birth, names, and addresses…the list goes on. That is the same type of information the thieves took from Equifax, which will likely be sold for millions on the Dark Net.
Finally, let’s not forget intellectual property. In today’s post-2011 “First to File” world, targeting IP firms can be a rewarding business. If a hacker can get his hands on the next Fitbit design, or Google’s “next big thing” before it is patented, they could sell the documents for millions to someone who would sell it for millions to someone who will eventually file the patent. And, just because that person gets caught, doesn’t mean the original hackers can be traced. So, the risk to the original hacker is relatively low when compared to the reward.
The bottom line is this – every single piece of information that a Law Firm has in its custody can be bought, sold, and traded on the Dark Web. Just because a hacker has no need for the data, doesn’t mean that there isn’t someone out there willing to pay a steep price for the information with the potential of profiting ten fold. Your firm’s data is a gold mine, and it should be protected as such.