Analysis Of The Week: Data Disasters​


By Alison Catchpole​

The Story

Cyber attacks have been hitting headlines hard recently*.

In early June 2021, hackers accessed McDonald’s customers’ emails, delivery addresses and phone numbers in Taiwan and South Korea. The same breach allegedly exposed some business and contact information of employees and franchisees in the US and, according to the Wall Street Journal, included some information on restaurants, such as seating capacity. The investigation is still ongoing, and may include data from South Africa and Russia (ITPro), but the attack did not involve ransomware.

In the past few weeks alone, JBS, the world’s largest meat processor, and the 5,500 mile Colonial Pipeline have both been subject to ransomware attacks from hackers thought to be based in Russia. JBS paid $11 million in ransom (Financial Times), and Colonial paid a $4.4 million ransom, though the FBI later recovered $2.3 million using a bitcoin private key (CBS).

*In fact, at the time of releasing this newsletter, Gateley has just faced a loss of client data following a cyber attack (Legal Futures).

The Background

Cybercrimes harm companies in a variety of ways. In 2020, IBM reported the global average cost of a data breach as $3.86 million. In particular, the highest industry average cost was found in healthcare, at $7.13 million. The cost of resolving a data breach also increased by $137,000 when most employees worked from home (IBM).

Insurers have been blamed for encouraging companies to meet hackers’ demands, by reimbursing ransom payments. The FBI has long opposed paying out. For Colonial, swift notification and the ‘digital fingerprints’ left by the Darkside hacking group, including the cryptocurrency address where Colonial was ordered to send the ransom, were cited as evidential turning points for the newly formed US Department of Justice Ransomware Task Force (SearchSecurity.TechTarget).


What It Means For Businesses And Law Firms

Online threats have become a fact of life. Critical assets include data (including IP), networks, computers and smart devices, and as the ‘Internet of Things’ grows, so does the number of endpoints serving as potential attack vectors.

Law firm Kingsley Napley points out that: “In many cyber crime cases, there is a grey area between freedom of expression and abusive communications. In others, most notably hacking cases, there are legitimate differences in opinion as to what constitutes unlawful activity” (Kingsley Napley).

Data breaches involving third parties can be particularly toxic. In February, it was reported that Jones Day – the firm that, allegedly, worked on some of former US president Donald Trump’s challenges to the 2020 election results – had 100 gigabytes of data stolen (Legal Futures). Some even appeared on the dark web, posted by the hackers, who run the Cl0p ransomware. In a statement to the Wall Street Journal, Jones Day blamed the data breach on a company that provides a file sharing service, Accellion, which had been hacked shortly before Jones Day.

A report into cybercrime by the Solicitors Regulation Authority (SRA) in September 2020, found that indirect financial costs for law firms experiencing cybercrimes quickly mount, with one firm losing £150,000 in billable hours (Legal Futures). Yet almost 50% of firms with a disaster recovery plan in place had this stored on the same system that could be targeted for attack. According to the report “most incidents occurred due to individual errors and misunderstanding rather than systems being hacked”. The weakest link in the chain, it seems, is still that between the chair and the keyboard.