One Law Firm’s Failure to Protect Client Data

Clients entrust lawyers to protect their data, information about matters that are vital to their lives and businesses.  There are many details about Anonymous in Gabriella Coleman’s excellent book Hacker, Hoaxer, Whistleblower, Spy but a story about a law firm especially caught my eye.  When Anonymous focused on groups related to file sharing and copyright, the ACS:Law law firm in the UK was a target.  Missteps by their hired IT staff brought the firm down.

Prof. Coleman’s book is published under a Creative Commons license, so I’ll use her words:

Anonymous set its sights on ACS:Law, a British law firm notorious for sending threatening letters at the behest of copyright owners to thousands of alleged file sharers, demanding money and the cessation of ostensibly illegal downloading.  It took Anonymous much more time to choose ACS:Law as its target (two hours) than it did to take down the law firm’s website (two minutes).  After the hit, the firm’s head solicitor, Andrew Crossley, was so unimpressed by the attack that he hastily volleyed back with the following statement:  “It was only down for a few hours.  I have far more concern over the fact of my train turning up ten minutes late or having to queue for a coffee than them wasting my time with this sort of rubbish.”

But, it turned out, these few hours of website downtime might have cost him his firm.  ACS:Law’s web team was so incompetent that in restoring the site they accidentally made an entire backup, replete with e-mails and passwords, available for anyone with a modicum of technical ability to see and take.  Anonymous noticed it, snatched it, and promptly threw all the emails on the Pirate Bay.

Not good by any means.  To be honest, I’m not surprised a law firm Web site went under in a DDOS attack.  The unencrypted, online accessible backup is another thing.  IT staff may not look at a technology problem – crashed server, whatever – with the same eyes that a lawyer has to.  What may be just a stolen server, or an unencrypted backup to tech staff may lead to a confidentiality breach for the lawyer even after the underlying problem is fixed.

More from Prof. Coleman:

Two hours of planning, two minutes of DDOS’ing, and not long after the firm closed…. Crossley – who had been more worried about queuing for a coffee – was tried in the Solicitors Disciplinary Tribunal for an array of charges. … Even though he challenged the claim that he had not taken proper measures to protect client data, he was found guilty as charged and the Information Commissioner’s Office also fined him for the data breach.

If you look at Crossley’s tribunal findings, starting at ¶ 92, it’s an interesting list of concerns:

  • an IT consultant, after the DDOS, found the firm had not used a firewall and access control (not defined);
  • the firm’s ISP, responsible for the shared server [in other words, not dedicated solely to the law firm] had left a backup of the firm’s emails even though they appear to have been asked to delete it;
  • concerns about whether his Web site hosting subscription, aimed at “home” users rather than business users, was inadequate for a business.

It would be interesting to know how many law firms have made similar choices and stayed under the wire – security through obscurity – only because they haven’t been a target.  Crossley doesn’t sound like a particularly admirable example of a lawyer but, at least in his choice of technologies and reliance on IT experts, he may not be that unusual.