The UK’s top law firms are at serious risk of unauthorized network intrusions after new research revealed over one million breached credentials on the dark web.
RepKnight studied 620 domains belonging to 500 of the UK’s law firms and found 1.16 million corporate email addresses on various sites which collect previously stolen or leaked credentials.
What’s more, more than half of these had been posted in the past six months, and 80% had an associated password – often available in clear text or hashed values which can be easily cracked, the vendor claimed.
“This puts those staff – and the law firm’s network – at significant risk from ‘credential stuffing’ attacks, where bots are used to repeatedly try the same username and password on multiple sites,” the report continued. “Perhaps more serious are ‘spear phishing’ attacks or identity fraud, where those credentials are used as part of a targeted cyber-attack on that individual.”
The vast majority of these credentials were taken from third-party breaches such as the one at LinkedIn, where law firm employees had signed up with their work credentials.
However, their appearance on dark web sites with associated passwords plunges their employers into a potentially alarming situation, if those credentials are used to access the corporate network, craft spear-phishing emails loaded with malware, or even attempt CEO fraud.
Any leaks of highly sensitive client or employee data could result in heavy fines under the GDPR.
The legal sector is coming under increasing scrutiny from cyber-criminals looking to tap the wealth of lucrative information such firms hold.
A quarter (24%) of SME-sized firms in the sector suffered a cyber-attack last year, with the figure rising to 36% for London-based companies, according to NatWest.
Meanwhile, two major US law firms were hacked in 2016 for information subsequently used in a $4m insider trading scam.
Both the Panama Papers and Paradise Papers leaks also came about after offshore law firms were targeted.