Yesterday, the SEC and the DOJ separately announced significant cases against three Chinese traders who made nearly $3 million in illegal profits by hacking into the computer networks of two "prominent New York-based law firms." The three men allegedly traded in the securities of at least three public companies based on confidential information they stole from the law firms that indicated that these companies were about to enter into mergers or acquisitions.
The SEC stated that the hackers gained access into the law firms' networks by installing malware, thereby "compromising accounts that enabled access to all email accounts at the firms, and copying and transmitting dozens of gigabytes of emails to remote internet locations." According to the DOJ, the traders targeted at least seven law firms, but only successfully hacked two of the firms. Announcing the DOJ's case, Preet Bharara, U.S. Attorney for the Southern District of New York, warned law firms that "this case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”
Stephanie Avakian, Acting Director of the SEC’s Enforcement Division, stated that the SEC was able to identify the broad scope of the alleged scheme via "enhanced trading surveillance and analysis capabilities that we developed over the last few years" and the SEC credited its Information Technology Forensics Group with assisting in the investigation.
The SEC and DOJ cases are eye-opening but not at all surprising given events over the past couple of years. In 2014, following a string of cases brought against law firm employees for stealing and illegally trading on similar information, I wrote here that law firms clearly needed to be on red alert to the risks posed by outside hackers:
In short, it is now well-known to would-be insider-trading employees and outside hackers that law firms' computer networks are a depository for extremely valuable information—like a Fort Knox for confidential corporate information rather than gold bullion, and without the impenetrable security systems. Law firms should learn from the recent SEC cases and hacking reports that attacks on their computer systems from both inside and outside the firm appear inevitable, and they should take a fresh look at the measures they have in place to keep their clients' information secure.
In 2015, a Citigroup report similarly warned employees that law firms' data were clear targets of attacks by foreign governments and hackers. Citigroup wrote that cybersecurity at law firms was weak as compared to other industries and that law firms were at "high risk" of cyber-attacks.
On March 4, 2016, the FBI's Cyber Division issued a Private Industry Notification alerting law firms that "[i]n a recent cyber criminal forum post, a criminal actor posted an advertisement to hire a technically proficient hacker for the purposes of gaining sustained access to the networks of multiple international law firms." The FBI stated that the criminals' motive was to gain access to inside information in law firm networks that could be used for insider trading. Shortly thereafter, it was widely reported that hackers had successfully broken into the computer networks at several major law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP.
The motive behind the hacks into Cravath and Weil Gotshal was unknown at the time, but the American Lawyer reports that the hacks into these two prominent law firms may be the same hacks underlying the cases announced yesterday. According to the American Lawyer,
The indictment unsealed Tuesday does not name the law firms, which are referred to as Law Firm 1 and Law Firm 2. According to the charges, Law Firm 1 advised Intel Corp. on its 2015 acquisition of Altera Corp. for $16.7 billion and represented a company that was in deal talks with InterMune Inc., which sold to Roche AG in 2014 for $8.9 billion.
The second major law firm advised Pitney Bowes Inc. in the 2015 acquisition of New York-based e-commerce company Borderfree, the indictment states.
Based on those details the two firms appear to be Weil, Gotshal & Manges and Cravath, Swaine & Moore, firms where cyberbreaches previously were reported. Weil represented Intel in the Altera buy and Cravath is identified in securities filings as Pitney Bowes lead deal counsel.