Overheard on a train: how I could have ransomed a law firm (but didn’t)

For many of us, working on the go is a necessity. But, when Graham Murphy found himself sitting next to an indiscreet lawyer on a train, he wondered how legal professionals could make easy targets for enterprising cyber criminals.
A man sat own a train with a laptop looks up, as if overhearing a conversation.

There isn’t a week that goes by without me using a train. Getting to and from work, attending a meeting or hosting an event.

Trains are a wonderful way to interact with all human life, but they are also a fantastic environment for cybercriminals.

Once, while I was on my way to a meeting, I was able to witness first-hand how easy it is to become a victim or perpetrator of cybercrime.

In earshot

Sitting at a table, enjoying my lunch, I was joined by a rather smartly dressed young professional. He unpacked his laptop, notepad, two mobiles, headphones and a folder of work.

On the opposite side of the carriage, his colleague did the same.

The branding on their folders intrigued me, so I did a surreptitious search on Google, which led me to the homepage of a boutique commercial property law firm.

A quick look at the firm’s website, and within seconds, I had the names of the two lawyers sitting opposite: Sam and Jess.

A few more clicks took me to their LinkedIn profiles and Twitter accounts.

As soon as the train left Paddington, Sam began to make phone calls.

He made calls to the client he had met with; the client’s boss, who wasn’t able to attend the meeting; the investment bankers financing the £100m commercial property deal; his team dealing with the contract.

As Sam made and received those mobile calls for nearly two hours, I was able to map out a clear picture of what he was working on, and who he was working with in this mammoth deal – which Sam needed to close within the next few days.

An opportunity for cyber criminals

After working for some time, Sam and Jess took a break and decided to go the buffet car.

Sam was careful, or so he thought, as he took his mobile with him. Jess did the same.

But there in front of me remained Sam’s open, unlocked laptop, the nicely branded folder of printed emails, his bag, and even a credit card bill sticking out of the side pocket.

Sam and Jess took a full eight minutes to go to and from the buffet. I timed it.

For that whole eight minutes, I had full access to Sam’s laptop, open in front of me, a wide variety of printed emails, and even to his personal credit card details.

What could have happened

Any enterprising person sitting in that carriage could have walked off with his laptop.

All the personal data enclosed would have been fertile ground for a fraudster to exploit.

A cybercriminal could also have hacked Sam’s passwords or installed ransomware. It doesn’t take very long to do – a few seconds, maybe a minute or two at most.

With the luxury of eight whole minutes, it would have been so easy to install something very nasty on that laptop.

Perhaps handing over money to criminals to regain access may have been a small price to pay for Sam to close his £100m deal.

Ransomware attacks are a massive problem for UK business, with RPC reporting a 100% increase from 2020 to 2021.

Sectors that deal with private and financial client data remain the most at risk, leaving law firms in an especially vulnerable position.

Staying alert

It’s imperative for legal professionals to be vigilant at all times, and especially when conducting work outside of the office.

However, for many, working on the go is often a necessity.

But have you ever wondered who might be listening, learning and taking advantage of the information we let slip on those journeys, through over-exuberance, indiscretion or just plain lack of awareness?

How many viral quizzes do you complete on Facebook, and where do you think that data goes?

How many times have you logged in to a wifi hotspot at the train station or airport without really thinking?

How many conversations have you had on trains that perhaps, in hindsight, could and should have been saved for later?

And when last did you read the SRA Code of Conduct for Solicitors? Perhaps when you embark on your next journey, you should start with a quick look.

Be warned: it might not be me you’re sitting next to next time. It could be someone much, much worse.

Your confidentiality obligations

The SRA Code of Conduct for Solicitors, RELs and RFLs states at 6.3: "You keep the affairs of current and former clients confidential unless disclosure is required or permitted by law or the client consents.”

Read our guidance on remote working and AML technology to ensure you're protected when working on the go.

Decide if your firm needs cyber insurance with our helpful guide.

Follow best practice if you fall foul of a scam with our comprehensive practice note.

Maximise your Law Society membership with My LS