The American Bar Association (ABA) has announced that a data breach last month may have compromised the login information of over a million members.
On March 17, 2023, the ABA observed “unusual activity” on its network. As a result, an “incident response plan” was immediately activated, and cybersecurity experts assisted with the investigation, according to an ABA notice. The probe “determined that an unauthorized third party gained access to the ABA network beginning on or about March 6, 2023, and may have acquired certain information,” it said.
“The personal information involved the username and hashed and salted password you may have used to log into the old ABA website before 2018 or the ABA Career Center since 2018. To be clear, the passwords were not exposed in plain text,” the email said.
“They were instead both hashed and salted, which is a process by which random characters are added to the plain text password, which is then converted on the ABA systems into cybertext.”
The ABA is the largest voluntary bar association in the United States, with 1.5 million lawyers having accounts on its website. The organization began sending email notices to its members beginning Thursday.
The ABA stated that in “many instances,” the stolen passwords may have been the default passwords that the organization assigned to members during registration.
After ABA changed its website login platform in 2018, it asked users to create new credentials. If people who have accounts on ABA are using the old credentials on the new platform, ABA is advising them to update their passwords as soon as possible.
Even if the passwords are hashed and salted, it is still possible for criminals to dehash them over time. According to the ABA, they have received no reports of anyone’s information being misused.
According to an analysis published at Law.com that looked into data breaches in California, Massachusetts, Indiana, and Maine between 2014 and 2022, cyberattacks on law firms have risen post the pandemic.
In the six years prior to the pandemic, hackers obtained the personal data of fewer than 20,000 American citizens by breaching law firms. In 2020, this number more than doubled to 46,000.
But in 2021, it skyrocketed to 720,000. Though only 13,000 people were found to be impacted in 2022, the analysis pointed out that many of the breaches were only reported in the following year or later.
Last year, the State Bar of California admitted that an “unknown security vulnerability” in its database led to the online disclosure of 260,000 cases. Meanwhile, New York law firm Cadwalader, Wickersham & Taft is facing a lawsuit for its failure to prevent a data breach in November.
According to the FBI’s 2021 Internet Crime Report (pdf), its Internet Crime Complaint Center (IC3) received a “record” 847,376 complaints that year, which is a 7 percent increase from 2020. Potential losses from these crimes are estimated to exceed $6.9 billion.
“Among the 2021 complaints received, ransomware, business email compromise (BEC) schemes, and the criminal use of cryptocurrency are among the top incidents reported. In 2021, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4 billion,” the report said. “In 2021, the IC3’s RAT initiated the Financial Fraud Kill Chain (FFKC) on 1,726 BEC complaints involving domestic to domestic transactions with potential losses of $443,448,237. A monetary hold was placed on approximately $329 million, which represents a 74 percent success rate.”
RAT refers to the agency’s Recovery Asset Team, established in 2018.
In March, the Department of Justice announced the arrest of the alleged founder of BreachForums, a major hacker marketplace where people used to post hacked and stolen data. At the time of arrest, the platform was said to have had over 340,000 members.
The United States also faces serious hacking threats from China. The 2023 Global Threat Report by cybersecurity firm Crowdstrike reveals that around 25 percent of China’s hacking attempts are directed at North America.