Skip to main content

news

 

Singapore law firm Shook Lin & Bok was hit by a cyberattack in April and the matter is currently under investigation by local authorities.

The incident was discovered on Apr. 9, the firm confirmed. “SLB immediately engaged a cyber security team and our systems were contained as of 0200 hours on Apr. 10, 2024,” it said in a statement.

“There is thus far no evidence that the firm's core document management systems which contain client data were affected.” the statement added.

The Straits Times, citing SuspectFile—a website that tracks cybersecurity incidents—reported that Shook Lin & Bok paid 21.07 bitcoins ($1.4 million) to Akira ransomware group spread across three transactions.

The law firm said it is working closely with cyber security teams and other specialists to do all that it can to minimise impact to its clients and stakeholders.

“The matter has been reported to the relevant authorities as we are obliged to do so under Singapore law. It is now under investigation, and it would therefore be inappropriate to comment on the investigations,” Shook Lin & Bok added.

Authorities investigating the matter include the Cyber Security Agency of Singapore (CSA), and the Personal Data Protection Commission Singapore.

Law firms have been the victims of increasingly sophisticated cyber-attacks as they look to build protective capabilities while negotiating increasingly vigilant incident-disclosure norms.

The Law Society of England and Wales reported in December that 65 percent of law firms in the country had been hit by cyberattacks. Despite this, 35 percent of law firms do not have a cyber mitigation plan, the report said.  

In Singapore, the Law Society itself was ordered to plug security gaps last year after a ransomware attack compromised the information of 16,009 members, the Straits Times reported.

In a written judgment, Singapore’s privacy watchdog, the Personal Data Protection Commission,  said the Law Society had “negligently breached” its obligation to protect personal information by “using an easily guessable password” for its IT administrator account, which was hacked due to another vulnerability.

Singapore has stringent reporting requirements when it comes to cyber incident reporting. The Personal Data Protection Act requires organisations to notify the PDPC and affected persons as soon as possible if there is a data breach that is likely to significantly harm or impact the individuals concerned.

Fines for non-compliance can go up to S$1 million ($749,000) or 10 percent of the organisation’s annual turnover in Singapore, whichever is higher.

 

TO CONTACT EDITORIAL TEAM, PLEASE EMAIL ALBEDITOR@THOMSONREUTERS.COM

Related Articles

Other News

Q&A with Edwin Northover, Debevoise & Plimpton LLP

by Asian Legal Business《亚洲法律杂志》 |

Debevoise & Plimpton LLP won the Insurance Law Firm of the Year award at the ALB Hong Kong Law Awards 2024, apart from being the sponsor of the Insurance In-House Team of the Year award. Edwin Northover, Asia-based corporate partner and head of the firm’s financial institutions and corporate practices in Asia, talks about the firm's recent achievements, trends in the insurance industry, and future outlook for insurance law in Hong Kong.

Other News

Kramer Levin and Herbert Smith Freehills plan latest law firm mega-merger

by Reuters |

U.S. law firm Kramer Levin Naftalis & Frankel and global legal giant Herbert Smith Freehills are planning to merge to create a firm with more than 2,700 lawyers, according to a joint statement on Monday.

Other News

Tokyo International makes Singapore debut with SE Asia in its sights

by Sarah Wong |

Japanese boutique Tokyo International Law Office (TKI) is set to establish its first overseas outpost with the opening of a Singapore office in January 2025, marking a significant milestone in the rapidly expanding firm's global strategy.