UK’s top law firms are said to be at serious risk of unauthorized network intrusions after it has been revealed that one million breached credentials are available on the dark web.
According to RepKnight which has studied 620 domains belonging to 500 of the UK’s law firms, nearly 1.16 million corporate email addresses are available on various sites most of which are previously stolen or leaked credentials.
Over half of these have been posted in the past six months, with 80% having an associated password. These passwords are in many cases available in clear text or easily-broken hashed values, the research firm has claimed.
Most of these credentials were gathered from third-party breaches such as the one at LinkedIn, wherein law firm employees had signed up with their work credentials.
Vulnerable To Cyber Attacks
RepKnight’s report states that this exposure puts the law firms’ network and staff “at significant risk “ from ‘credential stuffing’ attacks”. In these attacks bots are utilized in order to repeatedly attempt the use of the same username and password on multiple sites.
Also possible are the more serious kinds of attacks such as ‘spear phishing’ or even identity fraud, where those credentials are used as part of a targeted cyber-attack on that individual, the report said.
Moreover, the availability of the law firm credentials on dark web sites exposes the firms to a potentially alarming situation. They can be used to access the corporate network, and send spear-phishing emails loaded with malware, or even attempt CEO fraud.
For the law firms, any leaks of highly sensitive client or employee data can result in heavy fines under the GDPR.
Law Firms Becoming Preferred Targets
In recent times, the legal sector is coming to the attention of cyber-criminals who looking to tap the wealth of lucrative information such firms possess.
Around 24% of SME-sized firms in the legal sector suffered a cyber-attack last year, with the figure rising to 36% for London-based companies, according to NatWest.
In 2016, two large US law firms were hacked for information which was then used in a $4m insider trading scam. Additionally, both the Panama Papers and Paradise Papers leaks have come after offshore law firms were hacked into.
