DLA Piper’s Cyber Attack and Why It Matters

A ransomware demand for the payment of $300 worth of bitcoin sits on the screen of an Apple Inc. Macbook Air laptop infected by the 'Petya' computer virus. Photographer: Vincent Mundy/Bloomberg

DLA Piper is not the first law firm to suffer a cyber attack, but it may be remembered that way after a powerful malware forced the global law firm to shut down or limit its email for hours on end and to work off of cellphones.

In the most glaring example to date of hackers interfering with a major U.S. law firm’s ability to conduct its daily business, reports started surfacing on Tuesday morning that the firm had shut down its phone system and email. By the following day, the firm stated on its website, which remained functional throughout the ordeal, that it had shut down its email and other systems to contain the spread of what appeared to be “Petya” malware, and aimed to restore email by the evening European time.

News outlets in the U.S., the U.K., New Zealand, and elsewhere reported on the attack DLA suffered. But it is most likely not the first firm to fall victim to a ransomware attack: An FBI agent in New York told Big Law Business earlier this month that other law firms have avoided such publicity from such attacks by paying a ransom to hackers.

“Ransomware attacks have steadily increased in number,” said Aristedes Mahairas, special agent-in-charge in the cyber division of the New York City’s FBI field office, in an interview. “We’re hearing that there are law firms paying the ransom.”

The spread of the Petya virus, which locks people out of their computer network and demands a $300 ransom in cryptocurrency follows on the heels of WannaCry, a ransomware that infected companies in 150 countries in May. And by Wednesday, there was speculation that whoever was behind the latest Petya attack wasn’t interested in money, but rather disruption, because the malware also destroyed some computers’ data, Bloomberg reported.

DLA Piper has not said whether it paid any ransom, but it has said it found no evidence that any client information was affected.

A U.S.-based spokesman for DLA Piper, whose phone would not accept calls or messages on Tuesday, issued a statement on Wednesday:

On June 27, 2017, our advanced-warning system detected suspicious activity on our network, which, based on our investigation to date, appears to be related to the global cyber event known as “Petya”. Our IT team acted quickly to prevent the spread of the suspected malware and to protect our systems.

We immediately began our investigation and remediation efforts, working closely with leading external forensic experts and relevant authorities, including the FBI and UK National Crime Agency. We are working to bring our systems safely back online.

A statement posted on the firm’s website said its people continue to be available on their cell phones. In New Zealand, one paper reported that the firm’s lawyers in the country could send but not receive emails.

Overall, ransomware is a fast-growing threat: According to Verizon’s 2017 Data Breach Investigation report, which surveyed the cybersecurity landscape, ransomware has moved up from the 22nd most common form of malware in 2014 to the fifth most common because it is fast low-risk and easily monetizable.

Law firms are certainly attacked by ransomware on a regular basis,” said Adam Cohen, a managing director with data security expertise at the Berkeley Research Group, a consultancy, “but I don’t know of anyone being shut down like this.”

More often, he said, you hear about law firms being targeted because they serve as repositories of their client’s most sensitive information, which can be used for corporate espionage, insider trading or other criminal purposes.

In March 2016, Big Law Business reported on an FBI alert about a web post on a “cyber criminal forum,” seeking hackers who could penetrate law firms’ computer networks and steal data for an insider trading scheme.

The threat detection company Flashpoint Security also issued a client alert in February 2016, obtained by Big Law Business, which described a character named “Oleras” who wanted to harvest data from law firms for insider trading, and provided a spreadsheet with a list of 48 law firms including both Weil Gotshal & Manges and Cravath Swaine & Moore, which the Wall Street Journal later reported suffered data breaches.

But even though Weil and Cravath are among just a few law firms reported to suffer a data breach, their situations differed in that there were no reports that the hackers disrupted its computer networks in the same way as at DLA Piper, where lawyers were forced use their cellphones for communications, according to the firm’s note to clients.

Of course, there have been other publicized examples of hackers penetrating smaller law firms, and even international law firms, such as Panama’s Mossack Fonseca, whose client information was exposed after hackers stole 11.5 million documents and leaked them to an international consortium of journalists.

DLA Piper, with a reported $2.5 billion in revenue in 2016 and nearly 4,000 lawyers and offices in 40 countries, is among the largest law firms in the world and the U.S.

In terms of the victims of Petya, the firm is likely one of the smaller companies affected. This week, Petya wreaked havoc, bringing a port terminal in India to a standstill, shutting down or infecting various other large companies to varying degrees, including the French snack company Mondelez Inernational Inc, the French bank BNP Paribas and the U.K. media company WPP Plc.

Nonetheless, such cyber attacks can be especially damaging to law firms’ reputations, not only because their clients trust them to protect their information. Increasingly, law firms such as DLA Piper are seeking to market themselves as seasoned experts in data security and privacy, an area where there is a growing amount of legal work.

“It’s the hot new area,” said Adam Oliver, managing director of Firm Prospects, who owns a recruiting firm as well as a market intelligence firm.

His firm tracks job postings on law firm websites, and found that in the first quarter of 2017, there was a nearly 10 percent year-over-year jump in the number of new positions related to data security or privacy, posted at the largest 200 U.S. law firms. Oliver said that among those 200 firms, there are 440 attorneys that now list data security, privacy or some variant as the sole or main focus of their practice, even though just a few years ago there were so few attorneys concentrated in this area that his firm did not bother to officially track numbers.

“I think it’s curious because everybody wants to be a cybersecurity expert now because firms need to be able to market it,” he said. “There’s just a new sentence in a lot of these bios that say, ‘he’s now an expert in data security and privacy.'”