UK law firms are facing a torrent of cyber threats – here’s why
Cyber criminals are targeting the sensitive customer data UK law firms hold for ransomware attacks or blackmail
Cyber attacks against UK law firms have surged in the last year, according to new research from Lubbock Fine.
A study from the business advisory firm found there were 954 successful attacks against organizations in the legal sector, marking an increase on the 538 recorded in the year prior.
A key factor in this, the study noted, is that cyber criminals have woken up to the potential value of data held by these organizations. This can include anything from information on divorces to details on big ticket litigation and M&A activity at City firms.
"The data that law firms hold on behalf of their clients is often highly sensitive – and therefore, valuable if you intend to blackmail a law firm," said partner Mark Turner.
"This makes them a very attractive target for hackers. Hackers will often demand a blackmail payment from law firms or threaten to post that sensitive data on the internet. If hackers make this private data public then it could really damage their relationship with clients."
The findings back up the 2023 Cyber Threat Report from the National Cyber Security Centre (NCSC), which found that nearly three-quarters of the UK’s Top 100 law firms have been impacted by cyber-attacks.
It's not just small and medium sized businesses that are at risk either, with a number of the world’s largest law firms, including one Magic Circle firm having suffered major cyber breaches in the past year.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
In one recent example, US-based law firm Orrick fell victim to a data breach - despite the fact that the company specializes in offering legal advice to companies that have experienced cyber attacks. It was forced to settle four class-action lawsuits as a result.
While reputational and operational damages are top of mind for many legal firms, the study noted that there are other considerations at play for those who fall victim to cyber attacks.
They could face significant fines for poor custody of client information, for example, with the Information Commissioner’s Office (ICO) able to impose fines of up to 4% of a company’s total annual worldwide turnover or £17.5 million, whichever is higher, for negligent treatment of client data.
"With law firms being actively targeted by hackers, they need stronger cyber defenses than most companies. In response to the increase in cyber attacks, law firms are investing in defenses and ensuring that basic data protection measures are in place," Turner said.
"This might include segregating data across different departments, teams and individual clients. But law firms must also be aware that data can be lost through phishing attacks, which remains a common occurrence."
In a report earlier this year, document management service NetDocuments found that more than half of data breaches at legal firms in the UK are caused by insiders.
Between the third quarter of 2022 and the second quarter of 2023, data from legal firms relating to 4.2 million people was compromised – amounting to 6% of the UK population. Almost half impacted customers, and 13% impacted employees.
"As the use of AI becomes more accessible to hackers, law firms must continue to adapt," Turner said. "Increasingly sophisticated hackers require increasingly effective cyber defenses to prevent a breach."
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.