Attorney dishes on hacking, data breaches

Minneapolis attorney Nadeem Schwen was a computer whiz before graduating magna cum laude from the University of Minnesota Law School, so he is right in his element when it comes to data privacy and cybersecurity matters.

Schwen, who holds a computer engineering degree from Ohio State University, deftly blends those talents in his work with Minneapolis law firm Winthrop & Weinstine as he advises and represents clients on data privacy, security and other areas of focus.

Data privacy is a hot topic in the wake of the recent “Collection #1” data breach, which was discovered in January and affected more than 770 million unique email addresses and 21 million passwords. The public data breach, one of the biggest in history, is five times larger than the Equifax breach of 2017, Schwen noted.

In an interview with Finance & Commerce, Minnesota Lawyer’s sister publication, Schwen talked about the data breach and what it means for commercial real estate, construction and related businesses. The interview was edited for length and clarity.

Q. What can you tell me about the “Collection #1” data breach and how businesses might be at risk — especially those in commercial real estate, construction and property management?

A. Obviously, any sort of broad data breach, especially when you are talking about something that involves 773 million unique sets of emails and passwords, can impact all sorts of businesses. Hackers will particularly target industries where there is a lot of money. Commercial real estate is a big target. Every player in the transaction will be a target, from attorneys to agents to actual folks exchanging the money.

What you have going on is, somebody compromises the email system and then they monitor communications going back and forth and they wait for an opportunity, which is usually some sort of transaction. They might send a phony invoice or — upon a feeling there is about to be a transaction occurring — send routing instructions to a bank account of their own control, usually to mainland China or Hong Kong. And then the money gets transferred there because there are not sufficient stopgaps in place to verify the recipient. Within 24 or 48 hours its gone forever usually.

Q. How common are these breaches?

A. This Collection #1 data breach is one of many. We are probably 10 more data breaches in since that one came out. It made a bunch of headlines because of the sheer volume. Some of the content is from old data breaches — over 2,000 individual data breaches were aggregated together.

Q. What makes people vulnerable?

A. People like to use the same password even though they know it’s a bad thing to do. If you don’t have a robust security policy with regard to passwords, you will be a ripe target for these kinds of email compromise attacks.

Q. How do you know if your company has been breached?

A. It is actually pretty easy. Troy Hunt, an employee at Microsoft, is the one who first reported this particular breach. He has been running a website [www.haveibeenpwned.com]. It’s the best way anyone can find out if their employees’ emails were compromised.

Q. What are some examples of bad passwords?

A. There are very common ones that people pick for convenience that pop up time and time again in these breaches. There is a known list of common passwords, [such as] 123456. Literally the word ‘password’ is, unfortunately, a common one.

If you have good security policies automatically set up for your system you are not going to allow those types of passwords. But people use them and that is the kind of thing that companies should be worried about.

Q. What else can business or individuals do to avoid being hacked?

A. There are simple things you can do. One is to have a written, prepared incident response plan. I am on various boards, security committees and response teams for more than 10 companies right now. I have seen the varying levels of ways they are either well-executed or well fleshed-out versus off the cuff.

More immediately when this kind of breach happens, a big one is auditing your IT systems and policies. If you are not updating your system, you are behind. One of the most important things everyone can do is train employees … to avoid these kinds of vulnerabilities. And it has shown to have a lot of returns in terms of what kind of bang for your buck you get.

There was shareholder litigation a couple of years ago that was to the tune of $40 million or $50 million from one untrained employee that got an email from the CEO that was actually spoofed and authorized a transaction. And that money was just gone.

Q. Where do you fit in?

A. I am a lawyer. I focus on technology law. Data privacy has been huge in my practice. For the past two years it has been far and away the majority of what I have done. I am a chapter chair for the International Association of Privacy Professionals, one of the biggest professional associations of cybersecurity lawyers, non-lawyer practitioners, etc.

With all the evolving laws these days, most companies need advice to make sure they are adhering to these constantly evolving standards. They need to have minimum security practices in place so they are not at risk of an attack or at risk of lawsuit after an attack.

I have handled eight or nine breaches for different clients in probably the past six months. It’s a whirlwind because you are up against tight reporting deadlines, but everyone is still trying to figure out what is going on.

And even the better prepared clients that I have dealt with — it’s always a little bit of a frantic situation when you are trying to juggle a lot of balls when millions of dollars are on the line. But if you are in that position and you also don’t have any good plans or good response policies in place, those are much worse.

This article originally appeared in Finance & Commerce, a sister publication of Minnesota Lawyer.