Citigroup Report Chides Law Firms for Silence on Hackings

March 26, 2015


Every month it seems another American company reports being a victim of a hacking that results in the theft of internal or customer information. But the legal profession almost never publicly discloses a breach.

The unwillingness of most big United States law firms to discuss or even acknowledge breaches has frustrated law enforcement and corporate clients for several years. That frustration bubbled over in a recent internal report from Citigroup’s cyberintelligence center that warned bank employees of the threat of attacks on the networks and websites of big law firms.

“Due to the reluctance of most law firms to publicly discuss cyberintrusions and the lack of data breach reporting requirements in general in the legal industry, it is not possible to determine whether cyberattacks against law firms are on the rise,” according to the report, a copy of which was reviewed by The New York Times.

The report, issued last month, said it was reasonable to expect law firms to be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals and business strategies. The report said bank employees should be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries.

It said law firms were at “high risk for cyberintrusions” and would “continue to be targeted by malicious actors looking to steal information on highly sensitive matters such as mergers and acquisitions and patent applications.”

The bank’s security team also highlighted several ways hackers had intruded on law firms, by directly breaching their systems, attacking their websites or using their names in so-called phishing efforts to trick people into disclosing personal information.

The Citigroup team issued the report as other Wall Street banks are putting pressure on the legal profession to do more to prevent the theft of confidential client information. For nearly a year, banks and law firms have talked about forging a closer partnership to share some information about hacking incidents. Banks are also demanding more documentation from law firms about online security measures as a condition of retaining them for assignments.

In the last several months, Mandiant, the security firm that is a division of the security consultant FireEye, has been advising a half-dozen unidentified law firms that were victims of a breach or other attack, said a person briefed on the matter who spoke on the condition of anonymity.

Federal law enforcement authorities are urging law firms to be more open about reporting incidents. Agents with the Federal Bureau of Investigation have met with law firm leaders in the last few years to discuss online security. Top federal prosecutors at the Justice Department have begun to do the same.

John P. Carlin, assistant attorney general for national security, spoke this month at an American Bar Association conference in New Orleans, impressing on the lawyers the need to promptly inform clients and law enforcement authorities of attacks that could compromise confidential information.

“There are still a lot of companies that try to go it on their own,” Mr. Carlin said in a recent interview. “They try to circle the wagons.”

Mr. Carlin, who said he had not seen the Citigroup report, said law firms needed to report breaches and serious incidents when they happen and should not view such events as “a badge of shame.” He said he planned to deliver a similar message to big money managers and investors at a hedge fund conference in May in Las Vegas.

The Citigroup report noted that Fried Frank was the victim of a so-called watering hole attack in 2012 in which hackers infected its website with malware, an intrusive program that can be transferred to visitors to the site.

Steve Lewis, director of information systems at Fried Frank, said the law firm’s data network had “never been breached and client information has never been compromised.” In an emailed statement, Mr. Lewis added that the firm’s public website was hosted by an outside vendor and “contains no confidential information.”

Also in 2012, the Citigroup report said, the name of Covington & Burling, a large firm based in Washington, was used in a phishing campaign that appears to have been orchestrated by a “China-based group” of hackers. The report said the campaign, which typically involves sending fake but realistic looking email, may have been an effort to learn more about the law firm’s prominent corporate clients given its work for military contractors and energy companies, including its work on several solar energy projects at the time.

Covington also may have been an intriguing name for hackers to misuse because Eric H. Holder Jr., the attorney general, once worked there.

The Citigroup report said the information on the attacks involving Covington and Fried Frank had come from iSight Partners, a security consulting firm based in Dallas that has received financial backing from Blackstone. As with Fried Frank, there is no indication Covington’s systems were breached.

Citigroup issued a statement on Thursday distancing itself from the report. A person briefed on the matter but not authorized to speak publicly said the bank had stopped distributing it.