You are here:
  1. Home
  2. News
  3. Blog
  4. Overheard on a train: How I could have ransomed a law firm (but didn’t)

Overheard on a train: How I could have ransomed a law firm (but didn’t)

31 May 2017

One day in February, Graham Murphy found himself on a train next to two solicitors. As they opened their laptops and began to talk about the details of a £100m transaction, he pricked up his ears and began to think about what a fraudster or cybercriminal might make of all this. And then they went to the buffet…

There isn’t a day that goes by without me using a train. Getting to and from work, attending a meeting or hosting an event. And even occasionally having a spot of lunch on the Champs Elysees.

Unless you sit in first class, trains are also a wonderful way to interact with all human life – from the keyboard warrior to the wide eyed child excited to be meeting her first ever Jedi Knight (yes, that did happen)… and trains are also a fantastic environment for the now ever-present cybercriminal. 

A couple of months ago, while I was on my way to a meeting – which funnily enough was all about how to combat cybercrime in the legal profession – I was able to witness first-hand how easy it actually is to become a victim or even a perpetrator of cybercrime. It’s a subject that’s often on my mind, because I met so many firms who had been the victims of cybercrime at our recent Conveyancing Quality Scheme roadshows on cybercrime.

Sat at a table, enjoying my tea and sarnie, I was joined by a rather smartly dressed young hot-shot professional. Out came the laptop, the notepad, the two mobiles, the headphones and his folder of work. On the opposite side of the carriage, his colleague did the same. The branding on the folder intrigued me, so I did a surreptitious search on Google, which led me to the homepage of a boutique commercial property law firm. This could be an interesting journey, I thought. A quick look at the firm’s website, and within seconds, I had the names of the two lawyers sat opposite: Sam and Jess*. A few more clicks took me to their LinkedIn profiles and Twitter accounts.

As soon as the train left Paddington, Sam started calling. Calls to the client he had just met with; calls to the client’s boss, who wasn’t able to attend the meeting; calls to the investment bankers who were financing the £100m commercial property deal he was working on; calls to his team dealing with various aspects of the – presumably fairly confidential – contract. Even a couple of calls to his dad to remember to put the cat out.

As Sam made and received those mobile calls for nearly two hours, I was able to map out a very clear picture of what he was working on, and the details of main protagonists in this mammoth deal – which Sam (wife, two young kids, Jaguar car enthusiast, keen golfer and canoeist) needed to close within the next few days.

Now with all that telephone talk, Sam and Jess obviously got a little bit thirsty. And as neither could decide what they wanted to eat or drink, they both popped along to the buffet car together. Sam was careful, or so he thought, as he took his mobile with him. Jess did the same. But there in front of me remained the open, unlocked laptop, the nicely branded folder of printed emails, his bag, and even his credit card bill sticking out of the side pocket.

Sam and Jess were either really hungry or perhaps indecisive, as they took a full eight minutes to go to and from the buffet. I timed it.

For that whole eight minutes, I had full access to Sam’s laptop, open in front of me. With the added bonus, for those eight minutes, of access to a wide variety of printed emails, and even to his personal credit card details. 

Any enterprising person sitting in that carriage could have walked off with that laptop. Or imagine what a common-or-garden fraudster could have done with all that information. But had that person had a few extra skills, they could also have hacked Sam’s passwords or installed ransomware. It doesn’t take very long to do – a few seconds, maybe a minute or two at most. With the luxury of eight whole minutes, it would have been so easy to install something very nasty on that laptop, and surely paying a few bitcoins as a ransom to get back access would have been a small price to pay for Sam to close his £100m deal. We’ve recently seen the devastation that the fairly rudimentary ransomware attack on the NHS has had (netting the fraudsters nearly £87,342 at the current estimate). What would Sam have been willing to pay?

Of course, everybody has to work, and sadly that often means working while we travel. But have you ever wondered who might be listening, learning and taking advantage of the information we let slip on those journeys, through over-exuberance, indiscretion or just plain lack of awareness? How many viral quizzes do you complete on Facebook, and where do you think that data goes? How many times have you logged in to a wifi hotspot at the train station or airport without really thinking? How many conversations have you had on trains that perhaps, in hindsight, could and should have been saved for later? And when last did you read O (4.1) and O (4.5) of the Code of Conduct? Perhaps when you embark on your next journey you should start with a quick look at IB (4.1) 

Be warned: it might not be me you’re sitting next to next time. It could be someone much, much worse.

*Names, locations, interests and hobbies have been changed to protect the vulnerable.

The Code of Conduct

you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents;

you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.

your systems and controls for identifying risks to client confidentiality are appropriate to the size and complexity of the firm or in-house practice and the nature of the work undertaken, and enable you to assess all the relevant circumstances

 Read my report for the Property Section on the CQS cybercrime roadshows

The Law Society’s cybersecurity support: we are developing partnerships with cybersecurity companies to help law firms to prevent cyberattacks, and handle them if they do occur. Explore our cybersecurity pages for products and services to help you with your firm's cybersecurity concerns.

Find out more about the Conveyancing Quality Scheme

Tags: cyber security

About the author

Graham Murphy is product manager for the Law Society’s Conveyancing Quality Scheme 

  • Share this page:

Abigail Bright | Adam Johnson | Adele Edwin-Lamerton | Ahmed Aydeed | Alex Barr | Alex Heshmaty | Alexa Lemzy | Alexandra Cardenas | Amanda Adeola | Amanda Carpenter | Amanda Jardine Viner | Amy Bell | Amy Heading | an anonymous sole practitioner | Andrew Kidd | Andrew McWhir | Andy Harris | Anna Drozd | Annaliese Fiehn | Anne Morris | Anne Waldron | anonymous female solicitor | Asif Afridi and Roseanne Russell | Bansi Desai | Barbara Whitehorne | Barry Wilkinson | Becky Baker | Ben Hollom | Bhavisha Mistry | Bob Nightingale | Bridget Garrood | Caroline Marlow | Caroline Roddis | Caroline Sorbier | Carolyn Pepper | Catherine Dixon | Chris Claxton-Shirley | Christina Blacklaws | Ciaran Fenton | CV Library | Daniel Matchett | Daphne Perry | David Gilroy | David Yeoward | Douglas McPherson | Duncan Wood | Elijah Granet | Elizabeth Rimmer | Emily Miller | Emily Powell | Emma Maule | Floyd Porter | Gary Richards | Gary Rycroft | Graham Murphy | Greg Treverton-Jones | Gustavo Bussmann | Hayley Stewart | Hilda-Georgina Kwafo-Akoto | Ignasi Guardans | James Castro Edwards | Jane Cassell | Jayne Willetts | Jeremy Miles | Jerry Garvey | Jessie Barwick | Joe Egan | Jonathan Andrews | Jonathan Fisher | Jonathan Smithers | Jonathon Bray | Julian Hall | Julie Ashdown | Julie Nicholds | June Venters | Justin Rourke | Karen Jackson | Kate Adam | Katherine Cousins | Kaweh Beheshtizadeh | Kayleigh Leonie | Keiley Ann Broadhead | Kerrie Fuller | Kevin Hood | Kevin Poulter | Larry Cattle | Laura Bee | Laura Devine | Laura Uberoi | Leah Glover and Julie Ashdown | Leanne Yendell | Lee Moore | LHS Solicitors | Linden Thomas | Lucy Parker | Maria Shahid | Marjorie Creek | Mark Carver | Mark Leiser | Markus Coleman | Martin Barnes | Mary Doyle | Matt Oliver | Matthew Still | Max Rossiter | Melissa Hardee | Michael Henson-Webb | Neil Ford | Nick Denys | Nick O'Neill | Nick Podd | Nigel West | Nikki Alderson | Oz Alashe | Paris Theodorou | Patrick Wolfe | Paul Rogerson | Pearl Moses | Penny Owston | Peter Wright | Philippa Southwell | Preetha Gopalan | Prof Sylvie Delacroix | Rachel Brushfield | Rafie Faruq | Ranjit Uppal | Ravi Naik | Remy Mohamed | Richard Collier | Richard Coulthard | Richard Heinrich | Richard Mabey | Richard Messingham | Richard Miller | Richard Roberts | Rita Gupta | Rob Cope | Robert Bourns | Robert Forman | Robin Charrot | Rosa Coleman | Rosy Rourke | Sachin Nair | Saida Bello | Sally Azarmi | Sally Woolston | Sam De Silva | Sara Chandler | Sarah Austin | Sarah Crowe | Sarah Henchoz | Sarah Smith | Shereen Semnani | Shirin Marker | Siddique Patel | Simon Day | Sofia Olhede | Sonia Aman | Sophia Adams Bhatti | Sophie O'Neill-Hanson | Steve Deutsch | Steve Thompson | Stuart Poole-Robb | Sue James | Susa | Susan Kench | Suzanne Gallagher | The Law Society Digital and Brand team | Tom Chapman | Tom Ellen | Tony Roe | Tracey Calvert | Umar Kankiya | Vanessa Friend | Vicki Butler | Vidisha Joshi | William Li | William McSweeney