Global Law Firm Attributes Data Breach to Compromise at File Sharing Provider

February 17, 2021 | 3 minute read

An international law firm attributed a data breach to a compromise at a cloud solutions company that provides file-sharing services. According to the Wall Street Journal, a threat actor claimed to have stolen data from global law firm Jones Day and published that information on the dark web.

The posting by the threat actor, known as “Clop,” included a memo to a judge marked “confidential mediation brief” and a cover letter for “confidential documents.”

“Clop” is the name of a ransomware gang with which Cybereason is very familiar. The Cybereason Nocturnus team has been tracking the activity of the Clop ransomware gang who have leveraged a variant of CryptoMix ransomware in recent attacks.

At the time of writing, the Wall Street Journal had not confirmed the authenticity of those files. In a statement, however, Jones Day said that it had not been the victim of a ransomware attack. As quoted by the American Bar Association (ABA) Journal:

“Jones Day’s network has not been breached. Nor has Jones Day been the subject of a ransomware attack. Jones Day has been informed that Accellion’s FTA file transfer platform, which is a platform that Jones Day—like many law firms, companies and organizations—used, was recently compromised and information taken. Jones Day continues to investigate the breach and has been, and will continue to be, in discussion with affected clients and appropriate authorities.”

Robert Dougherty, a spokesperson for Accellion, confirmed to Bloomberg Law that Accellion was in the process of investigating a “sophisticated cyberattack” it disclosed on February 1, 2021.

“Accellion is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm,” he said. “We will share more information once this assessment is complete. For their protection, we do not comment on specific customers.”

The file transfer company was working with other law firms at the time of its disclosure. Those included Goodwin Procter which -  per Law360 - announced a data breach involving a third-party vendor used for file transfers in early February. None of Accellion’s other customers had announced a data breach at the time of writing.

Jones Day has worked with major corporations such as Alphabet Inc.’s Google and JPMorgan Chase & Co. as well as with other entities such as the Trump administration.

Insights from an Expert

To help put this news into perspective, I sat down with Cybereason CSO Sam Curry. Here’s what he had to say about the Jones Day breach along with the growing ransomware landscape:

David Bisson: It’s been reported that threat actors stole 100 gigabytes of data from the law firm. What is the magnitude of that much information ending up in the hands of attackers?

Sam Curry: Attorney-client privilege is vitally important and should be respected, not just by attorneys and courts but by everyone. A right to defense and fair trial is a critical ingredient of our society. However, the size of the leak is not as important as the substance. For instance, image files can be very large compared to text files. The same is true of audio or video for depositions. The big concern here is where that data went and how threat actors might use it.

DB: This incident didn’t involve ransomware. But we hear a lot about ransomware infections these days. Why are these types of attacks seemingly making news every day of the week?

SC: Why do people rob banks? Or perhaps why did they used to? Because that’s where the money is. Ransomware denies and potentially steals our most valuable asset: data. 

DB: So, what advice can you offer organizations that are hit with a ransomware attack?

SC: Once it has hit, make sure that you make a risk-based decision on paying or not. But before you pay, check with your lawyers and law enforcement to make sure that the attackers aren’t a prohibited organization and confirm that those actors will give you what you’re paying for: access and confidentiality. There is no honor among many thieves, but the various groups do have track records, and past behavior is a good indicator of future.

DB: That raises an important question: is it ever a good idea to pay the ransom?

SC: It’s never good, but it may be better than some alternatives. Are lives on the line in a hospital? Do the systems manage critical infrastructure in an energy plant? No one wants to pay, but this decision must be the victim’s once we rule out illegal entities and funding terrorists or banned organizations. 

DB: How can organizations prevent a ransomware attack in the first place?

SC: Ultimately, we should realize that this is the nature of crime. It will continue to grow as long as it is hugely profitable and not addressed. We need to deploy solutions that can stop it cold. We need to collaborate and prepare ahead of time, or the beast will keep on growing.

Learn how Cybereason can help your organization defend against sophisticated threat actors including a wide array of ransomware attacks - find more resources here.

About David Bisson

david-bisson-1David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora.

He also regularly produces written content for Zix and a number of other companies in the digital security space.

David Bisson
About the Author

David Bisson

David Bisson is an information security writer and security junkie. He's a contributing editor to IBM's Security Intelligence and Tripwire's The State of Security Blog, and he's a contributing writer for Bora. He also regularly produces written content for Zix and a number of other companies in the digital security space.

All Posts by David Bisson