Legal firms have access to some of the most sensitive data imaginable about their clients – whether corporate or private.
And just like any other company, they hold personal information about their employees, such as home address, contact details, bank account numbers and pension information.
But just how secure is the average law firm? Using our BreachAlert platform, we analysed the dark web footprints of domains belonging to the top 500 law firms in the UK, and quickly discovered details of more than 1 million hacked, leaked or stolen credentials being circulated online – that’s an average of 2,000 email addresses per firm.
The vast majority of these credentials were exposed through “third party breaches” – a data breach from another website or system unconnected to the law firm, where their employees have signed up using their work email address. These breaches are not the fault of the law firm, and there’s no suggestion that the firm’s networks have been hacked.
The key findings from our analysis were as follows:
• 620 domains belonging to 500 different law firms were profiled
• Every single law firm had at least 1 credential exposed
• A total of 1.16 million credentials were discovered in data breaches available on the Dark Web, and dump / paste sites.
• More than half of these credentials had been posted in the last 6 months
• More than 80% of the breached credentials also had an associated password – often in cleartext.
With many law firms publishing contact email addresses for their partners and staff on their website, it’s relatively easy for spammers and cybercriminals to get an email address. Every exposed email address puts that member of staff at significant risk of phishing attacks and impersonation attempts, as well as the constant plague of spam and malware.