Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Data Breach in Solicitors

  • 18-11-2021 2:43pm
    #1
    Moderators, Politics Moderators Posts: 41,239 Mod ✭✭✭✭


    My elderly parent is in the process of moving house. They are sale agreed on their own property and also on the property they are buying (they already paid a 10% deposit on this).

    Recently, their solicitor was taking a weeks leave but left word that they would be occasionally checking their emails. The solicitor is senior within a small but reputable practice.

    Anyhow, it appears that during that week, the solicitor emailed my parent telling them that the vendor of the property being purchased was wanting the balance to be paid (almost €400k). The solicitor explained that it had to be paid into a UK account but that this was ok.

    My parent didn't like the look of this and held off for a day or two and the solicitor emailed my parent again advising that in order to avoid the sale falling through they must lodge this money ASAP.

    I found out about this on the Friday (after CoB) and was stunned that they came so close to handing over 400k. Thankfully, my parent reckoned that it was a scam as the UK bank a/c was named to a construction company which rang alarm bells.

    I checked their iPad and looked up the email headers which clearly identified the solicitor company's mail server (I've a background in IT). There was no evidence that her accounts had been comprimised.

    What was surprising was the amount of detail contained in the emails indicated that it was written with full and compelte understanding of the case.

    My parent contacted the solicitors office on the monday and notified them and naturally they were surprised. I pressed my parent to get updates from them as this was likely to be a criminal matter. My parent was told by the solicitor on the Tuesday that their IT company had found a number of issues which allegedly were all resolved. Personally I am not buying this. It is a bit too quick to resolve the issue from a technical perspective but I won't get bogged down on this matter.

    My parent called into their local garda station and was told that as no money had been exchanged, an offence hadn't occurred and they should forget about it 😕

    My belief is that for them to have knowledge of my parents dealings meant that the persons behind the data breach had spent some time examining the details on the solicitors mail and data servers.

    So, anyhow, a month later and there has been no update from the solicitor. To my knowledge there has been no disclosure of the data breach to their customers - I am one of their clients and have heard nothing despite them having a number of sensitive details of mine.

    Anecdotally (and apparently from a different solicitor), this has happened to a lot of solicitors offices around Dublin over the last year or so.

    I'm not looking for legal advice here - more of a what would you do here? I think once the sale of the properties has fully completed, I'll speak with the solicitors office and get whatever info I can from them (which may be nothing). But should I contact the Data Protection Commissioners office? Contact the Law Society? Should they just move on and forget about it? What would you do?



Comments

  • Registered Users, Registered Users 2 Posts: 1,547 ✭✭✭KildareP


    Sounds like a classic case of phishing. It is very common, unfortunately, and not just amongst solicitors either.

    Attacker gets the username/password to a user's mailbox and sets up forwarding rules to silently monitor all e-mail exchanges. They'll then build a profile of exchanges and then target a particular exchange or transaction - your parents in this case - at an opportune moment (such as when a transfer of funds would be anticipated) and use that to try and siphon money into the attacker's bank account instead.

    It is a pretty quick fix insofar as you change the password to the mailbox and delete any unrecognised mail handling rules. Attacker no longer has access.

    By right, they should have reported this to the DPO but they may well have done so already, it's not necessarily something that will be publicly announced.

    Your parents (not you, since you are not the data subject) could contact the DPO and go at it that way, there's an online form available here: https://forms.dataprotection.ie/contact

    A complaint through the DPO will only trigger an investigation into the solicitors however, there is no avenue to be awarded compensation or damages.



  • Moderators, Politics Moderators Posts: 41,239 Mod ✭✭✭✭Seth Brundle


    Sounds like a classic case of phishing. It is very common, unfortunately, and not just amongst solicitors either.


    Attacker gets the username/password to a user's mailbox and sets up forwarding rules to silently monitor all e-mail exchanges. They'll then build a profile of that and then target a particular exchange or transaction - your parents in this case - at an opportune moment (such as when a transfer of funds would be anticipated) and use that to try and siphon money into the attacker's bank account instead.


    It is a pretty quick fix insofar as you change the password to the mailbox and delete any unrecognised mail handling rules. Attacker no longer has access.

    My understanding was that there was content in the mails that was not previously transmitted via email hence my belief that the data servers had also been compromised.

    however, there is no avenue to be awarded compensation or damages

    not looking for compo at all - just opinions on what others would do



  • Registered Users, Registered Users 2 Posts: 1,547 ✭✭✭KildareP


    Not sure so, unless the information was e-mailed internally (perhaps to another solicitor)?

    Or they took notes and e-mailed them to themselves (my other half, not a solicitor, but works in finance is a huge fan of doing this!)

    May also be that physical documents were scanned to e-mail or they were storing files in something like OneDrive/Google Drive and so a phish would have granted access to these as well.



  • Posts: 7,792 ✭✭✭ [Deleted User]


    FOUR HUNDRED THOUSAND!! Could have been gone in a moment ! 😲 What a bunch of scummers.. 😦 Scam would have fooled a lot of people.. Cloning emails - that's a new one on me.

    WD to your parent ☺️ That's all I have to say, and modern life is rubbish,,



  • Registered Users, Registered Users 2 Posts: 40,638 ✭✭✭✭ohnonotgmail


    given that this happened during a week when the solicitor was on leave but said they would be checking emails it does sound like the type of phishing that @KildareP has described. they knew your parents would have no to confirm directly and emails sent to confirm the payment could be intercepted.



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 70 ✭✭Azizur Rahman


    This a criminal offence, tell that Garda to cop on. It's attempted deception contrary to S.6 Criminal Justice (Theft and Fraud Offences) Act 2001. The UK account needs to be provided to Gardai to notify the Financial Intelligence Unit so the UK authorities can be made aware.



  • Registered Users, Registered Users 2 Posts: 6,548 ✭✭✭Claw Hammer


    The o/p will have to write to the Superintendent about it if he wants some action from the Guards.

    The solicitor should have notified the DPC of the breach. Check if this was bone.



Advertisement