Wall Street-savvy hackers are behind a data breach that involves a who’s-who of New York City legal firms. Federal investigators are looking into the breach that included Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, both high-profile New York-based law firms.
Cravath Swaine & Moore said told Threatpost its computer networks were infiltrated last summer and that it was not aware that any information accessed by the hackers was used improperly. Public disclosure of the hack was on Tuesday.
“Last summer, the firm identified a limited breach of its IT systems. We have worked closely with law enforcement authorities who have jurisdiction over this matter,” the company said in a prepared statement. “Upon identifying the incident we immediately supplemented our IT security measures with the assistance of additional outside security consultants,” the statement continued.
Gotshal & Manges declined to comment to Threatpost.
Security experts say the breaches represent a growing trend of attackers targeting corporate law firms and brokerages that specialize in patent and intellectual property law.
“Hackers are stealing this confidential information for the purpose of insider trading. Stealing information from patents that are currently in process, or details about an upcoming merger and acquisition, can be easily used to ‘game’ the stock market,” said Dodi Glenn, VP of cyber security at PC Pitstop in written statement commenting on the breaches.
High-powered law firms are also rife with personal identifiable information of executives whose email and personal data are attractive to hackers interested in identity theft and financial crimes such as fraudulent money transfers, according to Glenn.
Over the past several years a number of large financial firms have been targeted including J.P. Morgan Chase & Co. In 2014, hackers made off with 7 million compromised J.P. Morgan Chase small businesses accounts and 76 million households accounts. That same year, along with JPMorgan, Fidelity Investments, E*Trade Financial Corp., Scottrade Financial Services and Dow Jones & Co. were also victims of hackers who were dubbed “Digital Dons”.
“If you are hacking into a major law firm – one that’s closely tied to Wall Street and does a lot of M&A work – you can reasonably assume that that hackers are targeting more than email addresses,” said Adam Levin, chairman and founder of security firm IDT911.
Levin advocates high-stakes law firms shake up their security status quo and put in place more aggressive security protocols. For starters, Levin said, companies need to boost employee awareness, training and adopt robust damage control programs that can limit the inevitable fallout from breaches.
“We don’t know what the exact motive is in this case,” Levin said. “These firms are sitting on a goldmine of data from client information to companies about to be go public. We have seen this type of data used in the past for pump-and-dump schemes or some type of market advantage. It’s reasonable assume the hackers motives were geared toward market manipulation,” he said.
Meanwhile, Cravath Swaine & Moore said in its statement that its client confidentiality is sacrosanct. “We continually invest in state-of-the-art systems and procedures and work with clients and security firms to assess the strength of our protections. We will continue to work to ensure our systems are best in class,” wrote the law firm in a statement.