Partner and Head of Data and Privacy Litigation, Kingsley Hayes, examines the growing cybersecurity threat to UK businesses in light of The Guardian ransomware attack.
Kingsley’s article was published in New Law Journal, 3 March 2023, and can be found here.
Hackers struck the Guardian Media Group on 20 December 2022. The cyberattack caused serious disruption to the media outlet’s business operations and involved the theft of a large quantity of personal data.
The cyberattack on the Guardian involved phishing. A ‘phishing’ attack can be initiated where, for example, a hacker sends an email or text message to an employee of an organisation. This may include an innocent looking website link or invitation for the recipient to open an attachment. Once the link is clicked, or the attachment opened, however, malicious software, such as ransomware, is then installed on the user’s system. Where this gets past any cybersecurity measures such as firewalls or antivirus software, hackers can then gain full control over the user’s system.
In many cases, where the user’s systems are less secure, once the hacker has gained access through the initial phishing attempt, they can then go on to access other IT systems within the victim’s organisation.
Another phishing technique, known as ‘credential phishing’, involves hackers duping staff into disclosing their usernames and passwords, enabling the hackers to access systems by using legitimate login details. This is often achieved via a phone call or an email purporting to be from within the organisation.
Hackers who conduct phishing cyberattacks then typically go on to steal digital data from the victim organisation, or to encrypt its systems. They then issue a demand payment of a ransom for its return or make threats to publish or sell the data in the event of non-payment. Where systems are encrypted, payment is demanded in exchange for the decryption key. In such cases, organisations can be completely paralysed and may be tempted to pay the ransom, which is usually demanded in cryptocurrencies.
Computer security experts advise that a common time for cyberattacks is in the run up to Christmas, or other festive occasions. Hackers know that more staff may be away from the business at such times and perhaps less vigilant or prepared, which can leave the victim organisation more vulnerable.
Once access was gained in the Christmas 2022 attack on the Guardian, the unidentified hackers stole the personal data of the newspaper’s UK employees, representing nearly all its 1,600-strong global workforce. The data taken included their names, addresses, dates of birth, National Insurance numbers, salaries, bank details and passport numbers.
On discovering the attack, the Guardian made the decision to take down its systems and ordered staff to work from home from 21 December 2022. The newspaper also ran an article on the attack and reported it to the Information Commissioner’s Office (ICO). The group later announced to its staff its belief that the attack used ransomware software which had been triggered by a successful phishing attempt.
The closure of the group’s London office, which hosts a small skeleton staff, has continued since 21 December. Staff in the UK, US and Australia continued to work from home throughout January, with the office closure extended to early February.
Such a massive loss of extensive personal data in a cyberattack, potentially in breach of the GDPR, inevitably creates a risk of the ICO determining that breaches of the legislation occurred, for which a monetary penalty notice should be made, and enforcement action taken. The victim organisation will at least need to undertake an internal investigation, and implement a data breach response strategy, to include notifying individuals whose personal data was not kept secure. It will also need to deal with the ICO’s investigation.
Data breaches such as the Guardian attack are invariably high-profile events, which can have a wider impact within and beyond the victim organisation. Other potential consequences of a successful attack include damaged levels of customer confidence and public trust, decreased profits and the prospect of facing legal claims, either brought individually or by way of collective actions, seeking damages for breaches of data protection and privacy rights.
What lessons can UK businesses, especially law firms draw from the Guardian cyberattack?
Law firms have long been considered one of cybercriminals’ most attractive targets. In common with media outlets, law firms routinely acquire large amounts of digital data, which in many cases will be information of a highly sensitive and personal nature.
In the case of the Guardian, it is understood that customers and subscribers of the publication were not affected by the data breach, with the theft involving a failure to protect only employees’ personal data. However, the theft of customer data has been accomplished in many other successful phishing attacks.
While the exact nature of the phishing attack used against the Guardian is still unknown, it is clear that this attack vector is popular amongst those hackers currently targeting UK businesses. Law firms will therefore need to be extremely vigilant in protecting their client data against such cybercrimes.
The Cyber Security Breaches Survey 2022 carried out for the UK government found that 39% of UK businesses surveyed had identified at least one cyberattack in 2022, with phishing attempts making up 83% of all attacks. All of the organisations surveyed reported that phishing represented a significant proportion of detected cyberattacks, with larger organisations reporting a higher proportion of phishing attacks.
The BBC has reported that while the revenues of cybercrime gangs fell in 2022, the number of attacks rose. The number of unique types of ransomware software packages active in the first half of 2022 worldwide was 10,000, according to research by cybersecurity firm, Fortinet.
Law firm owners can continue to expect a significant proportion of cybersecurity attacks against their businesses to be phishing in 2023. Given the strict solicitor-client confidentiality ethical duties involved, businesses which operate in the legal sector should regard having adequate protection against phishing attacks as an ethnical necessity, as well as a business risk.
The attack vector of phishing relies on human error, in that the recipient organisation usually only falls victim to the method if they respond to the invitation by clicking a link or opening an attachment or is deceived into disclosing their login details. Attackers employ social engineering techniques to induce a quick, emotive response, such as a short deadline. Phishing attacks can come by way of a variety of communication methods. Instead of sending an email, attackers may send a system user a virtual meeting request which, if accepted, invites them to download malicious software.
To reduce the risks of human error which phishing attempts depend on, it is important that all employees are regularly trained on the methods used and reminded of the need for everyone to be cautious and vigilant against cybercriminals. Additionally, as the Guardian attack indicates, staff should be particularly alert to phishing attempts around public holidays and festive periods, when they may be more prone to letting their guard down and as the frequency of attacks rises at such times due to perceived unreadiness.
Organisations may wish to consider operating their IT systems within a ‘segregated environment’, which prevents attackers who are successful in breaching one part of their network from accessing other IT systems. Such segregation can help provide a safe place for staff to store valuable or confidential information. If systems are built and used in this way, the segregated information will remain secure even in the event of a successful phishing attack. Regular backups are essential, and these should be segregated.
IT professionals can develop a system of regular checks to identify system vulnerabilities and take steps to fix them. IT policies can also be implemented to restrict software installation to certain staff members. Implementing simple procedures like this can detect threats and make it impossible for a non-authorised user to download and run new software which could be used by hackers in a cyberattack.
To reduce the amount of personal data which could be stolen, organisations should avoid retaining it for any longer than is necessary and should consider what information could be deleted. Data retention policies which require deletion of digital data after a certain time period should have trigger points at key intervals so that the information is deleted from the user’s system once it is no longer required.
Guidance as to best practice in cybersecurity is issued by the National Cyber Security Centre, a government initiative.
For a law firm to fall victim to a cyberattack similarly to the Guardian might seem unthinkable, but it has happened before and recent events show that attacks will continue to occur. Analysis of cyberattacks demonstrates that phishing attempts directed at large, global organisations and small UK firms have been successful. These can often result from a single, isolated human error. Given the serious consequences which could result from a successful phishing attack on a UK law firm, complacency within the profession about data security is simply not an option.