You are here:
  1. Home
  2. News
  3. Blog
  4. Overheard on a train: How I could have ransomed a law firm (but didn’t)

Overheard on a train: How I could have ransomed a law firm (but didn’t)

31 May 2017

One day in February, Graham Murphy found himself on a train next to two solicitors. As they opened their laptops and began to talk about the details of a £100m transaction, he pricked up his ears and began to think about what a fraudster or cybercriminal might make of all this. And then they went to the buffet…


There isn’t a day that goes by without me using a train. Getting to and from work, attending a meeting or hosting an event. And even occasionally having a spot of lunch on the Champs Elysees.

Unless you sit in first class, trains are also a wonderful way to interact with all human life – from the keyboard warrior to the wide eyed child excited to be meeting her first ever Jedi Knight (yes, that did happen)… and trains are also a fantastic environment for the now ever-present cybercriminal. 

A couple of months ago, while I was on my way to a meeting – which funnily enough was all about how to combat cybercrime in the legal profession – I was able to witness first-hand how easy it actually is to become a victim or even a perpetrator of cybercrime. It’s a subject that’s often on my mind, because I met so many firms who had been the victims of cybercrime at our recent Conveyancing Quality Scheme roadshows on cybercrime.

Sat at a table, enjoying my tea and sarnie, I was joined by a rather smartly dressed young hot-shot professional. Out came the laptop, the notepad, the two mobiles, the headphones and his folder of work. On the opposite side of the carriage, his colleague did the same. The branding on the folder intrigued me, so I did a surreptitious search on Google, which led me to the homepage of a boutique commercial property law firm. This could be an interesting journey, I thought. A quick look at the firm’s website, and within seconds, I had the names of the two lawyers sat opposite: Sam and Jess*. A few more clicks took me to their LinkedIn profiles and Twitter accounts.

As soon as the train left Paddington, Sam started calling. Calls to the client he had just met with; calls to the client’s boss, who wasn’t able to attend the meeting; calls to the investment bankers who were financing the £100m commercial property deal he was working on; calls to his team dealing with various aspects of the – presumably fairly confidential – contract. Even a couple of calls to his dad to remember to put the cat out.

As Sam made and received those mobile calls for nearly two hours, I was able to map out a very clear picture of what he was working on, and the details of main protagonists in this mammoth deal – which Sam (wife, two young kids, Jaguar car enthusiast, keen golfer and canoeist) needed to close within the next few days.

Now with all that telephone talk, Sam and Jess obviously got a little bit thirsty. And as neither could decide what they wanted to eat or drink, they both popped along to the buffet car together. Sam was careful, or so he thought, as he took his mobile with him. Jess did the same. But there in front of me remained the open, unlocked laptop, the nicely branded folder of printed emails, his bag, and even his credit card bill sticking out of the side pocket.

Sam and Jess were either really hungry or perhaps indecisive, as they took a full eight minutes to go to and from the buffet. I timed it.

For that whole eight minutes, I had full access to Sam’s laptop, open in front of me. With the added bonus, for those eight minutes, of access to a wide variety of printed emails, and even to his personal credit card details. 

Any enterprising person sitting in that carriage could have walked off with that laptop. Or imagine what a common-or-garden fraudster could have done with all that information. But had that person had a few extra skills, they could also have hacked Sam’s passwords or installed ransomware. It doesn’t take very long to do – a few seconds, maybe a minute or two at most. With the luxury of eight whole minutes, it would have been so easy to install something very nasty on that laptop, and surely paying a few bitcoins as a ransom to get back access would have been a small price to pay for Sam to close his £100m deal. We’ve recently seen the devastation that the fairly rudimentary ransomware attack on the NHS has had (netting the fraudsters nearly £87,342 at the current estimate). What would Sam have been willing to pay?

Of course, everybody has to work, and sadly that often means working while we travel. But have you ever wondered who might be listening, learning and taking advantage of the information we let slip on those journeys, through over-exuberance, indiscretion or just plain lack of awareness? How many viral quizzes do you complete on Facebook, and where do you think that data goes? How many times have you logged in to a wifi hotspot at the train station or airport without really thinking? How many conversations have you had on trains that perhaps, in hindsight, could and should have been saved for later? And when last did you read O (4.1) and O (4.5) of the Code of Conduct? Perhaps when you embark on your next journey you should start with a quick look at IB (4.1) 

Be warned: it might not be me you’re sitting next to next time. It could be someone much, much worse.

*Names, locations, interests and hobbies have been changed to protect the vulnerable.

The Code of Conduct

O(4.1)
you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents;

O(4.5)
you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.

IB(4.1)
your systems and controls for identifying risks to client confidentiality are appropriate to the size and complexity of the firm or in-house practice and the nature of the work undertaken, and enable you to assess all the relevant circumstances

 Read my report for the Property Section on the CQS cybercrime roadshows

The Law Society’s cybersecurity support: we are developing partnerships with cybersecurity companies to help law firms to prevent cyberattacks, and handle them if they do occur. Explore our cybersecurity pages for products and services to help you with your firm's cybersecurity concerns.

Find out more about the Conveyancing Quality Scheme

Tags: cyber security

About the author

Graham Murphy is product manager for the Law Society’s Conveyancing Quality Scheme 

  • Share this page:
Authors

Adam Johnson | Adele Edwin-Lamerton | Alex Barr | Alex Heshmaty | Alexandra Cardenas | Amanda Carpenter | Amanda Jardine Viner | Amy Heading | Andrew Kidd | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Waldron | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bob Nightingale | Caroline Roddis | Caroline Sorbier | Catherine Dixon | Ciaran Fenton | David Gilroy | David Yeoward | Douglas McPherson | Dr Sylvie Delacroix | Duncan Wood | Eduardo Reyes | Elizabeth Rimmer | Emily Miller | Emma Maule | Gary Richards | Gary Rycroft | Graham Murphy | Hayley Stewart | Ignasi Guardans | James Castro Edwards | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Smithers | Julian Hall | Julie Ashdown | Julie Nicholds | Karen Jackson | Kate Adam | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Poulter | Larry Cattle | Laura Devine | Leah Glover and Julie Ashdown | LHS Solicitors | Lucy Parker | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Matthew Still | Meena Toor | Melissa Hardee | Neil Ford | Nick Denys | Nick Podd | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Rachel Brushfield | Ranjit Uppal | Richard Coulthard | Richard Heinrich | Richard Messingham | Richard Miller | Richard Roberts | Rita Oscar | Rob Cope | Robert Bourns | Robin Charrot | Rosy Rourke | Saida Bello | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Sophia Adams Bhatti | Steve Deutsch | Steve Deutsche | Stuart Poole-Robb | Susan Kench | Suzanne Gallagher | Tom Ellen | Tony Roe Solicitors | Vanessa Friend

Tags

access to justice | anti-money laundering | apprenticeships | archive | artificial intelligence | Autumn Statement | bid process | brand | Brexit | British Bill of Rights | Budget | business | careers | centenary | charity | city | communication | Conservatives | conveyancing | court closures | court fees | courts | CPD | criminal legal aid | cyber security | David Cameron | development | Diversity Access Scheme | diversity and inclusion | education and training | elderly people | emotional resilience | employment law | equality | European Union | Excellence Awards | finance | George Osborne | human rights | human trafficking | immigration | in-house | International Womens Day | Investigatory Powers Bill | IT | Jeremy Corbyn | justice | knowledge management | Labour | law management | Law Society | leadership | legal aid | legal professional privilege | LGBT | Liberal Democrats | library | Liz Truss | Magna Carta | mass data retention | mediation | members | mention | mentoring | merger | modern slavery | morale | National Pro Bono Week | Parliament | party conferences | personal injury | Pii | politics | president | pro bono | productivity | professional indemnity insurance | represent | retweet | risk | rule of law | security | social media | social mobility | SRA | staff | strategy | stress | talent | tax | tax credits | team | technology | Theresa May | Time capture | training | Twitter | UKIP | value proposition | website | wellbeing | Westminster weekly update | wills