Law firms hold privileged client communications, litigation strategy, and sensitive personal data — assets SRG specifically targets for maximum extortion leverage. A successful intrusion does not require encryption to cause harm; the credible threat of publishing privileged legal data can trigger client loss, bar association scrutiny, and regulatory investigation simultaneously. The physical impersonation vector means technical security investments alone do not contain this risk — the attack requires a procedural and human response.
You Are Affected If
Your organization operates a physical office where external IT vendors or support personnel are granted unsupervised workstation access without formal identity verification
Staff have not been trained to recognize or escalate in-person social engineering attempts, particularly from individuals claiming IT affiliation
Your organization operates in law, insurance, finance, or healthcare — sectors SRG has explicitly targeted or assessed as comparable targets due to data sensitivity
Remote access tools (AnyDesk, Zoho Assist, Splashtop, or similar) can be installed on workstations without IT change management approval or alerting
Callback phishing awareness training has not been delivered — staff may comply with phone-based instructions to install software or provide credentials
Board Talking Points
A threat group now physically sends operatives into law firm offices posing as IT staff to steal sensitive client data for extortion — no malware required.
We recommend immediate implementation of a mandatory IT visitor verification protocol and targeted staff awareness training within the next 10 business days.
Without these controls, a single successful impersonation visit could expose privileged client data and trigger simultaneous reputational, regulatory, and client retention consequences.
ABA Model Rules — law firms hold attorney-client privileged communications; unauthorized access and threatened publication directly implicates professional conduct obligations and may require client notification
HIPAA — healthcare sector organizations identified as secondary targets; exfiltration of patient data via this vector triggers breach notification requirements under 45 CFR Part 164
GLBA — insurance and finance sector organizations identified as secondary targets; unauthorized access to customer financial records triggers Safeguards Rule notification and remediation obligations
State data breach notification laws — exfiltration of personally identifiable information held by law, insurance, or finance firms triggers notification obligations in most jurisdictions regardless of encryption status
