Overheard on a train: How I could have ransomed a law firm (but didn’t)
One day in February, Graham Murphy found himself on a train next to two solicitors. As they opened their laptops and began to talk about the details of a £100m transaction, he pricked up his ears and began to think about what a fraudster or cybercriminal might make of all this. And then they went to the buffet…
There isn’t a day that goes by without me using a train. Getting to and from work, attending a meeting or hosting an event. And even occasionally having a spot of lunch on the Champs Elysees.
Unless you sit in first class, trains are also a wonderful way to interact with all human life – from the keyboard warrior to the wide eyed child excited to be meeting her first ever Jedi Knight (yes, that did happen)… and trains are also a fantastic environment for the now ever-present cybercriminal.
A couple of months ago, while I was on my way to a meeting – which funnily enough was all about how to combat cybercrime in the legal profession – I was able to witness first-hand how easy it actually is to become a victim or even a perpetrator of cybercrime. It’s a subject that’s often on my mind, because I met so many firms who had been the victims of cybercrime at our recent Conveyancing Quality Scheme roadshows on cybercrime.
Sat at a table, enjoying my tea and sarnie, I was joined by a rather smartly dressed young hot-shot professional. Out came the laptop, the notepad, the two mobiles, the headphones and his folder of work. On the opposite side of the carriage, his colleague did the same. The branding on the folder intrigued me, so I did a surreptitious search on Google, which led me to the homepage of a boutique commercial property law firm. This could be an interesting journey, I thought. A quick look at the firm’s website, and within seconds, I had the names of the two lawyers sat opposite: Sam and Jess*. A few more clicks took me to their LinkedIn profiles and Twitter accounts.
As soon as the train left Paddington, Sam started calling. Calls to the client he had just met with; calls to the client’s boss, who wasn’t able to attend the meeting; calls to the investment bankers who were financing the £100m commercial property deal he was working on; calls to his team dealing with various aspects of the – presumably fairly confidential – contract. Even a couple of calls to his dad to remember to put the cat out.
As Sam made and received those mobile calls for nearly two hours, I was able to map out a very clear picture of what he was working on, and the details of main protagonists in this mammoth deal – which Sam (wife, two young kids, Jaguar car enthusiast, keen golfer and canoeist) needed to close within the next few days.
Now with all that telephone talk, Sam and Jess obviously got a little bit thirsty. And as neither could decide what they wanted to eat or drink, they both popped along to the buffet car together. Sam was careful, or so he thought, as he took his mobile with him. Jess did the same. But there in front of me remained the open, unlocked laptop, the nicely branded folder of printed emails, his bag, and even his credit card bill sticking out of the side pocket.
Sam and Jess were either really hungry or perhaps indecisive, as they took a full eight minutes to go to and from the buffet. I timed it.
For that whole eight minutes, I had full access to Sam’s laptop, open in front of me. With the added bonus, for those eight minutes, of access to a wide variety of printed emails, and even to his personal credit card details.
Any enterprising person sitting in that carriage could have walked off with that laptop. Or imagine what a common-or-garden fraudster could have done with all that information. But had that person had a few extra skills, they could also have hacked Sam’s passwords or installed ransomware. It doesn’t take very long to do – a few seconds, maybe a minute or two at most. With the luxury of eight whole minutes, it would have been so easy to install something very nasty on that laptop, and surely paying a few bitcoins as a ransom to get back access would have been a small price to pay for Sam to close his £100m deal. We’ve recently seen the devastation that the fairly rudimentary ransomware attack on the NHS has had (netting the fraudsters nearly £87,342 at the current estimate). What would Sam have been willing to pay?
Of course, everybody has to work, and sadly that often means working while we travel. But have you ever wondered who might be listening, learning and taking advantage of the information we let slip on those journeys, through over-exuberance, indiscretion or just plain lack of awareness? How many viral quizzes do you complete on Facebook, and where do you think that data goes? How many times have you logged in to a wifi hotspot at the train station or airport without really thinking? How many conversations have you had on trains that perhaps, in hindsight, could and should have been saved for later? And when last did you read O (4.1) and O (4.5) of the Code of Conduct? Perhaps when you embark on your next journey you should start with a quick look at IB (4.1)
Be warned: it might not be me you’re sitting next to next time. It could be someone much, much worse.
*Names, locations, interests and hobbies have been changed to protect the vulnerable.
you keep the affairs of clients confidential unless disclosure is required or permitted by law or the client consents;
you have effective systems and controls in place to enable you to identify risks to client confidentiality and to mitigate those risks.
your systems and controls for identifying risks to client confidentiality are appropriate to the size and complexity of the firm or in-house practice and the nature of the work undertaken, and enable you to assess all the relevant circumstances
The Law Society’s cybersecurity support: we are developing partnerships with cybersecurity companies to help law firms to prevent cyberattacks, and handle them if they do occur. Explore our cybersecurity pages for products and services to help you with your firm's cybersecurity concerns.