ST. LOUIS, MO — Since mid-December, attorneys who advise clients on cybersecurity matters have been busy responding to a massive breach of popular information technology network monitoring software affecting large swaths of the federal government and the Fortune 500.
Experts also warn that law firms and the courts are likely to be affected by the breach and should beef up their cybersecurity as well.
On Dec. 13, software giant SolarWinds first acknowledged its Orion platform had been hacked earlier in 2020, leaving its clients vulnerable to data breaches as well. The following week, former Secretary of State Mike Pompeo placed blame for the attack on Russia.
Since then, Glenn E. Davis, an attorney for HeplerBroom in St. Louis and leader of the firm’s HBCyberGroup, has been educating clients about the breach and ensuring they’re taking steps to protect their data.
He said Orion is widely used: SolarWinds has more than 300,000 clients, including the U.S. government and the majority of Fortune 500 companies. The company already has notified 32,000 clients who were directly affected by the breach as part of mitigation efforts.
Davis said it’s important for attorneys to understand that the breach was not just a suspected nation-state attack on the U.S. government but a threat to businesses as well.
“While the scope of the intrusion remains unclear, it is clear it goes far into the private sector,” he said.
Hackers have penetrated “virtually every U.S. agency you can think of,” including the Office of the President, the U.S. Secret Service, the Federal Reserve and NASA, he said.
Malware, or malicious software, from the attack also has surfaced in companies such as Visa, McDonalds, Microsoft and Mastercard, whose Global Operations Center is based in O’Fallon, near St. Louis.
The attack is what’s known as a supply-chain breach, Davis said. After hackers breached Orion’s system, they were able to watch how SolarWinds builds its software from the inside. They then were able to replace Orion’s source code with malware, passing the malware on to Orion purchasers, he said.
“The hackers then collected data on the customers and observed them and saw what they were and who they were, and decided whether or not they were important to target,” he said. The hackers were next able to gain access to customers’ systems through a type of malware known as a backdoor.
Beyond affecting lawyers’ clients, the breach poses a risk to law firms themselves as well as the courts.
On Jan. 6, the Administrative Office of the U.S. Courts announced that the federal judiciary had suspended all national and local use of Orion in response to the breach and issued new procedures to help protect highly sensitive confidential documents.
The AO also announced it is working with the U.S. Department of Homeland Security on a security audit of the judiciary’s electronic filing system.
Anyone could be a target
Data breaches don’t affect only larger firms;:small and medium-sized firms also can be targets, Davis said. He said the breach can serve as a teachable moment for lawyers.
“The biggest lesson for lawyers is to be vigilant on our own cyber hygiene and to use this as an opportunity to review our own procedures,” he said.
Law firms should make sure their technical protections are up to date, and that they’re testing incident-response plans and scrutinizing vendors and vendor security, he said.
Alex Boyd, an associate at Polsinelli in Kansas City, practices with his firm’s technology transactions and data privacy practice group.
The Orion breach serves as a reminder that even secure environments can become compromised, he said.
Boyd recommended that law firms be on the lookout for breach notifications not only from SolarWinds but also from their own vendors.
He also encouraged attorneys to consider purchasing cyber insurance, which provides resources for companies as they respond to a breach.
“What you don’t want is, ‘We’re impacted. Who do we even call?’” he said. “It’s kind of a ready-to-go team to assist you.”
Boyd also suggested that law firms work to harden their systems, which can include promoting use of complex passwords and multifactor authentication.
Echoing Davis, he also emphasized the importance of ensuring firm vendors are keeping client data secure.
“Ask questions about your vendors’ security procedures. Have a contract in place that requires them to implement those things, and if something does happen, they’re going to be the ones who pay for notifications,” he said.
Another good practice is for companies to work to reduce the amount of sensitive data they’re storing and sending, particularly in email, which is especially vulnerable to hackers.
Burton Kelso, a Kansas City-based tech expert who regularly speaks on cybersecurity for lawyers, said the SolarWinds breach also raises the issue of cloud storage security.
“I know the cloud is cool and hip and easy, but maybe at the same time, it’s time to step back and find out: What’s going to be the most secure way to store data in the future?” he said.
Kelso also encouraged the use of local vendors and IT firms, pointing out they generally are more accountable and can provide more personalized support when it is needed.