Pro hackz

Feature image

Professional services firms are becoming a hot target for hackers around the world. What is driving the trend and what steps can be taken to minimise reputational risk?

If press coverage is anything to go by, the hackers are winning. On a daily basis, we see reports of blue chip companies, government organisations, celebrities and even presidential candidates all falling victim to hackers looking to obtain money, secrets or notoriety.

Earlier this year, we witnessed a defining moment for the professional services industry. When news broke that Panamanian law firm Mossack Fonseca had been the subject of what industry analysts are calling the biggest hack in history, the hitherto unimaginable concept that professional services firms would be targeted became a stark reality. It has led to global political ripples, with Vladimir Putin describing the incident as “an American plot”. David Cameron was forced to defend his family’s investment arrangements and the Prime Minister of Iceland, Sigmundur Gunnlaugsson, submitted his resignation.

As 2.6 terabytes of leaked data containing over 11.5 million client files emerged on the internet, the formidable business reputation it had taken Jürgen Mossack and Ramón Fonseca 39 years to establish for their company was totally destroyed. The professional services industry looked on in horror at how an established, highly accomplished legal practice was brought to its knees by something seemingly outside its control.

In reality, the hacking episode certainly took longer than just a few minutes. In fact, it’s likely that the process of obtaining access to the company’s confidential files took the hacker months, if not years, and required multiple different approaches to establish a gateway into the firm’s most intimate secrets.

What is most interesting about this attack is that the hacker’s target was not the firm itself, but the clients they serviced. Mossack Fonseca had become a trusted advisor for many of the world’s elite, and supported their clients through complex commercial or personal life-defining moments. By targeting one organisation, the hackers were able to obtain the secrets of hundreds of individuals.

How did hackers gain access?

The true method of the attack will probably never be known, but most incident investigation firms agree that this was a highly targeted hacking attack, focused on exploiting vulnerability in the company’s email server.

This attack would have focused on the individual employees of Mossack Fonseca, with a view to gaining access to their computers via the spread of malware and/or phishing for usernames and passwords. Unless Mossack Fonseca had a secure IT system (which it appears it did not), one success with either technique could have given the perpetrators access to the firm’s entire digital estate. It is likely that out-of-date or non-existent information security practices had considerably weakened the firm’s IT security – which was spotted by the hackers and ruthlessly exploited.

Why did it happen?

Unlike many hacking episodes, which have the objective of financial gain (either through blackmail, transferring of funds or selling of trade secrets), this incident was driven by a ‘moral cause’, without any obvious financial gain for the perpetrator. What is clear, is that the hacker was after specific information on individuals and rather than going directly to each one, it was quicker (and probably easier) to focus on the law firm to obtain the data they were after.

What next?

It is expected that the consequences of this hack will be felt for many years to come. Clients put complete faith in professional service providers, especially when they become trusted advisors.

Undoubtedly, professional service firms who fail to evidence that they are tackling data protection will be viewed unfavourably as the risk becomes increasingly evident. Firms must inform their clients about what they are doing to combat the increasing threat and have action plans in place to respond to an attack should a breach occur.

A company’s diligence in protecting data will become a key factor for clients when deciding which firm to choose, so highlighting the measures a company takes to protect data should form part of an overall marketing strategy. New business opportunities will develop for those able to demonstrate a robust defence system.

Protecting your company’s reputation following a data breach

At some point, almost all companies fall victim to data loss. With strong cyber-security systems and processes, this loss can be limited. However, it’s vital companies have a clear action plan to protect one of the company’s most valuable assets: their reputation. Underpinning the entire cyber-response strategy should be preparation. With the growing cyber-threat professional services firms face, it’s no longer a case of if a cyber-breach occurs, but when. Start planning today, so that you’re ready for tomorrow.


  • Make a plan. Run through data breach scenarios on a regular basis, so that your company knows what to do if/when a breach of data occurs.
  • Seek immediate advice from a PR agency that specialises in crisis management. If you buy cyber liability cover, this should be provided as part of a suite of response services.
  • Report the data breach to those who may be affected. The Information Commissioners Office requires companies to inform those who may be affected if a cyber-breach has occurred1. Use this briefing to explain what has happened, outline the immediate measures you have taken to limit the damage caused by the breach and advise those who may be affected on the steps they can take to protect their data.
  • Don’t go to ground. Many companies hide in the face of a crisis. While this may appear to be an appealing option, explaining that an investigation is ongoing is better than not communicating at all. Keeping
  • Nominate a spokesperson to whom any questions regarding the breach can be channelled. This will ensure consistent messaging is provided to those affected and to journalists.
  • Ensure all staff have coherent and aligned messaging, so that everyone in the company knows what to say/what not to say when questioned by a third party.
  • Once the breach investigation is concluded, follow up with clients to tell them how you’ve responded and what measures you’ve taken to stop it happening again. Provide regular updates so clients are assured you’re doing everything you can to stop a repeat incident.

Footnote: 1 – Source: Information Commissioner's Office

About the author

Oliver Crofton

Marclay Associates 0203 0393 394 Email