DLA Piper Ransomware Hack: What Can We Learn From It?

The Incident

On June 27, DLA Piper LLP, one of the largest law firms in the world, was hit by a ransomware attack that infected hundreds of thousands of computers across their platform. The global cyber event encrypted all affected files and requested a ransom of $300 in bitcoin to regain access or avoid threat of deletion. DLA Piper’s warning system detected the malware and prompted their IT team to act quickly.

In an industry where court dates and legal deadlines call for timely action, lawyers must have reliable access to their case files, and sensitive information on corporate and private clients must remain confidential, the law firm worked quickly to mitigate the emergency. Network services and landlines were down. A sign within the law firm’s office in Sydney read, “All network services are down, do not turn on your computers! Please remove all laptops from docking stations and keep turned off. No exceptions.”

The next day, the firm released a statement reporting the attack. A spokesperson informed the public that they were working with external forensic experts and authorities, such as the FBI and the UK National Crime Agency.

The attack, which has been compared to WannaCry and Petya hacks, uses EternalBlue, a hacking tool that was rumoured to be stolen from the NSA, and other methods to increase its reach and cause its damage. First affecting Ukrainian organizations, the malware quickly spread internationally and eventually hits DLA Piper. The cause of the breach was believed to have sprung from a recent update in the firm’s payroll software by a Ukrainian accounting firm.

On July 3, DLA Piper announced that they have safely brought their email back online, but not all servers have been restored.

The Aftermath

Ten days after the attack, the firm continues to experience IT issues. Some email records still remain inaccessible. All computers are screened and cleared in a graduated manner to ensure safety. On July 10, the firm released an update showing appreciation for public support. They have also stated, “we continue to see no evidence that client data was taken or that there was a breach of the confidentiality of that data.”

Insurance brokers estimate the total direct and indirects costs of the attacks could be “in the millions”. Cybersecurity experts have named the global hacking phenomenon as “NotPetya”. Other international companies affected in the hack continue to experience permanent damages.

Lessons to Learn from the Cyberattack

  • Cyber threats may be prevented, but not eliminated
    One thing we must add is that cyber threats cannot be eliminated. Although cyber threats are mostly preventable, it is impossible to be fully threat free. A company may have sound security detectors, but a well-crafted email phishing scam can still be able to trick an employee into entering their credentials, if staff are not properly trained in recognizing fraudulent emails. M. K. Palmore, an information security executive at the Federal Bureau of Investigation (FBI) explains, “you have to be right every time. [Cybercriminals] only have to be right once.”
  • Timely response and transparency
    As we have mentioned previously in 5 Lessons to Learn from the Walmart Canada Data Breach, timely notice to affected bodies and law enforcement is required by law. However, DLA Piper informed law enforcement immediately upon noticing signs of a breach and promptly released an announcement online. Although they have since reported that no client data was compromised, their transparency and approach to handling the breach granted them support and solidified their trustworthiness in the public eye.
  • Insurance may not always cover everything
    A LogicForce report surveying 200 firms has recently found that all firms were subject to hacking attacks. However, while 40% of these hacks were successful, 40% of those who were hacked were unaware of it. This reveals two things: that the typical firm is not protected enough and that the current norm for threat detection is too weak.The report also found that only 23% of firms polled had cybersecurity insurance policies. These policies covered direct costs associated with the hack, such as ransom costs, hiring investigators and a legal team to advise in the event. However, personal indemnity policies are generally designed to protect client data and money – so loss of revenue due to business interruption is not always covered. Even the “business interruption” component of a firm’s insurance policy would not remediate long-term losses of the hack.However, having some coverage is better than having none, given the increased frequency of breaches. We recommend that firms find a coverage that is best suitable for their potential risks.
  • The need for off-site data storage, cybersecurity education, and proper detection in a response plan
    It is already known that data breaches are becoming increasing common. In the case that a firm is hit by a cyberattack, it is important for them to have the right response plans in mind. In the case of the DLA Piper attack, the firm’s downtime during the attack would have otherwise been minimized if they had off-site data storage that workers were educated and encouraged to use and backup their data. However, the firm’s threat detection tool was effective in discovering malware and allowing authorities to act quickly to mitigate the emergency and protect the safety of client data.
  • The rise in cyber audits
    In LogicForce’s report, they have discovered a trend in cyber audits, that is, a client’s request for legal firms to meet a requirement or expectation of cybersecurity before they are hired. The findings showed that 34% of firms report having to undergo a cyber audit from a client. This number is expected to reach 65% by 2018, revealing the public demand for cybersecurity protocols in the near future.