Global law firm Jones Day has reportedly had 100 gigabytes of data stolen, with some of it appearing on the dark web, after a third party that provides it with file transfer software was hacked.
The firm has had a particularly high profile of late for its work for former president Donald Trump challenging last November’s election, and some of the data taken has appeared on ‘Cl0p Leaks’, a dark web site where other stolen data has been shared.
Screenshots of a few individual documents have been published there, including a memo to a judge marked “confidential mediation brief”, a cover letter enclosing “confidential documents”.
According to Vice, someone in control of an email address listed on the site, and purporting to be the hackers, said in an email to the publication: “We hacked their server where they stored data, on attempts to ‘settle’ they responded with silence and we had to upload the data.
“We emailed them and they ignored us for over a week. We did not encrypt their network [ie, it was not a ransomware attack], we only stole the data.”
Asked what their motivation was, the reply said: “And what do you think? 😉 financial of course.”
Jones Day – which has an active cybersecurity, privacy and data protection practice – has not posted anything about the hack on its website or social media channels and did not respond to a request for comment.
However, it told the Wall Street Journal that Accellion, a file-sharing company it has used, was recently compromised and had information taken. Jones Day said it continued to investigate the breach and was in discussion with affected clients and the appropriate authorities.
Accellion first revealed last month it had suffered a breach in mid-December; one of the affected clients was another major US law firm, Goodwin Proctor, which said at the time that a “small percentage” of its clients “may have experienced unauthorized access to or acquisition of confidential information”.
In a statement earlier this month, Accellion said the “sophisticated cyberattack” was on FTA, its “legacy large file transfer product” that was “nearing end-of-life”. Security patches were deployed, along with new monitoring and alerting capabilities.
Stephen Kapp, chief technology officer and founder of cybersecurity business Cortex Insight, said the breach highlighted the importance of ensuring that services used by an organisation were “properly secured and that vendor security is taken seriously, as when you use their services you are still responsible for the data they handle for you”.
He continued: “In order to manage and identify any risks introduced by third parties, it is best practice to include them in security assessments of your organisation.
“When doing this make sure that contracts with vendors allow for this and also stipulate to vendor their security obligations and your security requirements.”
Mitch Mallard, threat intelligence analyst at cybersecurity firm Talion, said: “The Accellion breach highlights one of the key weaknesses of external file transfer systems, but also the over-arching issue of security versus convenience.
“When uploading any kind of sensitive file to an online repository, document transfer service, or even attaching it to an email, it is best practice to the encrypt the file, and then provide your intended recipient with the decryption key through alternate means.
“This ensures that, should a breach occur, your files are not in plaintext for the taking. It may be tempting and convenient to trust reputable external services, but when it comes to sensitive files, such as the legal documents affected in this case, there is no substitute for robust encryption and keeping unprotected instances local only.”
Sam Curry, chief security officer at Cybereason, added that the size of the leak was not as important as the substance.
“For instance, image files can be very large compared to text files. The same is true of audio or video for depositions. The big concern here is where did the data go and how will it be used, not how much of it there is.”