Law Firms Fail To Reveal Hacking, Citigroup Report Finds

The unwillingness of most big U.S. law firms to discuss or even acknowledge breaches has frustrated law enforcement and corporate clients for several years. “Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise,” according to the report, a copy of which was reviewed by the New York Times. The report, which was issued last month, said it is reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies. The report said bank employees should be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries. The bank’s security team also highlighted several ways hackers had intruded on law firms, by directly breaching their systems, attacking their websites or using their names in so-called phishing efforts to trick people into disclosing personal information. In the last several months, Mandiant, the security firm that is a division of Milpitas security consultant FireEye, has been advising a half-dozen unidentified law firms that were victims of a breach or other attack, said a person briefed on the matter who spoke on the condition of anonymity because he was not authorized to speak publicly. Federal law enforcement authorities are urging law firms to be more open about reporting incidents. John Carlin, assistant attorney general for national security, spoke this month at an American Bar Association conference in New Orleans, where he impressed upon the lawyers the need to promptly inform clients and law enforcement authorities of attacks that could compromise confidential information. The Citigroup report noted that the law firm Fried Frank was the victim of a “watering hole” attack in 2012 in which hackers infected its website with malware, an intrusive program that can be transferred to visitors to the site. The report said the campaign, which typically involves sending fake but realistic looking e-mail, may have been an effort to learn more about the law firm’s prominent corporate clients given its work for military contractors and energy companies, including its work on several solar energy projects at the time. Puckett, a Washington-area firm, was hacked in 2012 by activists associated with the group Anonymous, who were angered by the firm’s representation of a U.S.