Law Firms Face Extortion & Legal Penalties After Australian Ransomware Scandal
Many Australian law firms and their clients could find themselves facing extortion by online hackers after reports of a major security breach of an Australian legal services firm.
Hackers from a cyber-crime collective have targeted a national legal services firm and top-tier clients in a ransomware attack, warning the firm to meet their demands or risk a leak of their ransomed data.
But the potential damage could go far deeper than one legal services firm and could expose many firms to legal penalties for sharing confidential client files information with the legal services firm.
Legal services firm Law In Order is routinely used by client law firms to print a number of court documents which would contain sensitive information on cases.
At EAGLEGATE Lawyers, we recognise that law firms have a responsibility to keep client file information private. But we also understand an unknown number of firms may have shared client files with Law In Order, and thus given hackers access to confidential client data.
If Lawyers outsource the secretarial support on a file, such as printing to Law In Order, it may mean they are in breach of any confidentiality undertakings given to the Courts and the other parties in matters.
The issue is wider than a breach of Confidentiality Undertakings. The files given to Law In Order, will provide enough information to identify the parties on the matter, the witnesses (and their addresses) and are likely to contain highly sensitive information which could include medical information.
That means that those mentioned in those documents could also face extortion from the hackers. This crisis goes far deeper than just one legal services firms, it could ensnare a wide range of Australian law firms and individual clients and witnesses.
Law In Order is used not only for legal file printing but also provides access to discovery software which it hosts on its services which allow law firms to quickly sift through gigabytes of data to find relevant documents.
Those documents will be documents of parties to court cases and again would contain very sensitive information. That information can give a competitor an advantage.
Any leak of information into the public domain may also allow use of that information by third parties. In 2019 the High Court dismissed an appeal by companies within the Glencore plc group to restrain the Australian Tax Office (ATO) from using the Paradise Papers based on legal professional privilege.
Accordingly, the effect of any leak may have serious long term consequences for clients.
Law In Order is a trusted provider of services to the legal industry but this attack will be a motivator for hackers as it doesn’t only give access to data held by just one law firm but instead it gives access to the data of thousands of law firms.
Law In Order has confirmed it was targeted by a ransomware attack from an international cyber-crime group that forced it to limit access to online networks and put a stop to its business operations. The firm was told it had seven days to respond to demands before more of its data is released on the dark web.
The firm had given an assurance to clients it had seen no evidence of data exfiltration nor anything that indicates Law In Order’s customers’ networks have been compromised.
Law In Order has said it engaged cyber-security investigators and advisers to work with its IT team to determine the full scope of the incident before it brings its networks back online safely. The legal services firm is also working with the Australian Federal Police and with the Australian Cyber Security Centre.
The ransomware attack is a stark reminder to all businesses to take advice from cyber professionals and have their online systems hardened against cybercrime attacks.
It’s also going to be a sharp wakeup call to those firms breaching Court confidentiality requirements by passing client information to Law In Order. They must now be desperately hoping the cyber criminals don’t now turn their attention to individual clients of those law firms who entrusted their data to the legal services firm