Law Firm Data Security: A federal indictment and Chicago class action

December is a month when major news can be missed under end-of-year to do piles and old fashioned hangovers but there are two US data security cases involving law firms that broke in December and that every law firm in the world ought to pay attention to. The U.S. federal charges against three Chinese nationals for making over $4m out of insider trading after hacking two New York law firms, and the claim against Chicago law firm Johnson & Bell alleging inadequate data security. Here are the facts you need to know.

Insider trading arrests for law firm hacking

December saw three Chinese citizens charged under a U.S. federal indictment for making $4m in illegal profits after they allegedly hacked into the computer systems of elite New York law firms to obtain market sensitive information on forthcoming M&A deals.

The indictment, which was unsealed on 27 December, charges three men – Iat Hong; Hong, Bo Zheng; and Chin Hung – with targeting at least seven law firms and successfully hacking two, obtaining the emails of partners who work on sensitive M&A deals.

The law firms are not named in the indictment but ‘Law Firm 1’ advised on a proposed acquisition of U.S-based drug maker Intermune and advised Intel Corporation on its 2015 acquisition of Altera Corp. Weil Gotshal, which in April 2016 was reported by the Wall Street Journal to have been hacked, advised Intel on that acquisition. The firm, which has already been approached for comment by the U.S media, declined to comment to Legal IT Insider.

‘Law Firm 2’ advised Pitney Bowes Inc in its acquisition of Borderfree. Cravath, Swaine & Moore, which last year confirmed that it had been hacked, represented Pitney Bowes in that transaction –  Cravath, which has already been approached for comment by the U.S media, has yet to return requests from Legal IT Insider for comment.

The infiltration occurred from late April 2014 through to late 2015, during which period the defendants allegedly obtained access to the law firms’ networks, targeting emails of partners who worked on those high-profile M&A transactions.

After obtaining emails containing inside information, according to the indictment, the defendants purchased stock in at least five publicly traded companies, which went up in value after the transactions were announced. The defendants sold the stock after the public announcements, making over $4m.

Manhattan U.S. attorney Preet Bharara, announcing the arrest, said: “As alleged, the defendants – including Iat Hong, who was arrested in Hong Kong on Christmas Day – targeted several major New York law firms, specifically looking for inside information about pending mergers and acquisitions.  They allegedly hacked into two prominent law firms, stole the emails of their M&A partners, and made over $4 million in illegal profits.

“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”

This is how they are alleged to have done it:

The Intermune Transaction

The defendants identified a list of 11 partners at Law Firm 1 in July 2014
Also in July, the defendants accessed Law Firm 1’s web servers using the credentials of an employee
The defendants caused malware to be installed on the Law Firm 1 Web Server
Access to the web server allowed unauthorised access to an email server which contained the emails of employees including ‘Partner 1’ – one of the 11 partners identified.
Partner 1 obtained information via email about the transaction, including the proposed price per share the company was considering offering for Intermune
Between 1 August and 9 August, the defendants caused more than 40 gigabytes of confidential data to be exfiltrated from Law Firm 1’s email server over the course of eight days.

The Intel-Altera Transaction

In January 2015, Law Firm 1 was retained by Intel
Partner 1 obtained confidential information about the Intel-Altera transaction over email, including the proposed share price
Between January 13 2015 and about February 10 2015, the defendants caused 2.8 gigabytes of confidential data to be exfiltrated from the Law Firm 1’s email server.

The Pitney Bowes-Borderfree Transaction

In December 2014, Law Firm 2 was retained by Pitney Bowes
‘Partner 2’ worked on the Pitney Bowes-Borderfree transaction
In around April 2015 the defendants accessed Law Firm 2’s web servers located in New York, using the unlawfully obtained credentials of an employee
The defendants caused malware to be installed on Law Firm 2’s web server, which allowed access to an email server containing emails from law firm attorneys, including Partner 2.
Between April 8 and July 31, the defendants caused seven gigabytes of data to be exfiltrated from Law Firm 2’s email server.

In addition to the above transactions, the defendants are alleged to have traded on the basis of at least 10 additional M&A transactions, including ones that were not consummated, many of which involved Partner 1 or Partner 2, according to the indictment.

During the same period, the defendants are alleged to have repeatedly attempted to access the networks and servers of at least five other law firms.

Shore et al v. Johnson & Bell, Ltd

The class action against Chicago firm Johnson & Bell is understood to be the first in which a law firm has been accused of exposing client information and failing to protect client data through inadequate security.

In the case that was finally unsealed at the beginning of December and is disputed by Johnson & Bell, plaintiffs and former clients Jason Shore and Coinabul LLC claim that they wish to “put an end to Defendant’s practice of systematically exposing confidential client information and storing client data without adequate security.” They add: “Defendant’s computer systems suffer from critical vulnerabilities in its internet-accessible web services. As a result, confidential information entrusted to Johnson & Bell by its clients has been exposed and is at greater risk of further unauthorized disclosure (if it hasn’t already been disclosed.)”

The claim, which Johnson & Bell has publicly called “baseless” and “specious” and says it will fully defend, seeks to compel Johnson & Bell to “implement industry standard protocols; to allow an independent third party firm to conduct a security audit; to inform Johnson & Bell’s clients that their confidential information has been exposed; and damages.

Filed in April 2016 by Chicago tech and privacy firm Edelson PC, claims centre on Johnson & Bell’s Webtime server, virtual private network (VPN), and email server.

In the former, the claim states that the defendant operates a Webtime service developed by Rippe & Kingston, which the claimants say has not been properly configured and is running out of date software.

The claimants further allege that Johnson & Bell’s Webtime tracking system is built on a JBoss Application Server that is “woefully out of date and suffers from a critical vulnerability.”

In terms of the defendant’s VPN, the claim says: “While use of a VPN is industry standard, Defendant’s implementation is not. Specifically, Defendant’s VPN supports insecure renegotiation, leaving it vulnerable to man in the middle attacks.”

Finally, the claimants say that rather than using a third-party email provider “such as Google’s Gmail”, Johnson & Bell hosts its own email server, with the email used to transmit confidential documents such as email attachments.

Attempts at encryption “fail” the claim alleges. “Specifically, Johnson & Bell’s email service supports SSL 2, which is obsolete, insecure and is exploited by the “DROWN” attack; and supports 512 bit export suites and is vulnerable to the “FREAK” attack,” the claim says.

William Johnson, co-founder and president of Johnson & Bell has said in a published statement: “Our data systems are secure and our clients’ information is protected. We will fully defend our firm against this baseless lawsuit and will seek appropriate action against plaintiffs after the lawsuit is concluded.”