226 UK law firms suffered data breaches in the past year as hackers target sensitive client data

The number of reported cyber breaches at UK law firms has increased in the year to September 30th, from 166 in 2021/22, to 226 in 2022/23*, as hackers increasingly target the profession, says global specialty (re)insurance group Chaucer.

Chaucer says that the large number of attacks against law firms has been driven by a belief amongst hackers that law firms are particularly vulnerable to ransomware attacks and threats from the hackers to publish information stolen online.

“The extremely sensitive data that law firms hold on behalf of their clients makes them a very attractive target to hackers.”
“Hackers expect that law firms will pay them to either unlock data they encrypt in ransomware attacks or pay “blackmail” in exchange for the hackers not publishing the law firm’s stolen data online.”
“Attacks against law firms are part of that smaller group of cyber-attacks where the business is being actively targeted. That means that law firms need stronger cyber defences than the average business. Most cyber-attacks start almost randomly when a hacker’s software identifies an organisation with a flaw in their security.”
Ben Marsh
Deputy Class Underwriter at Chaucer

Ben Marsh explains that the sensitive data held by law firms will vary from firm to firm, from information on divorces at high street law firms through to information on big ticket litigation and M&A activity at City law firms.

“Law firms are investing in cyber defences and basic data protection hygiene such as segregating data across different departments, teams and individual clients. However, it is still quite common for a law firm to suffer a data breach through a phishing attack.”
“Law firms, like all businesses will need to improve their defences as hackers deploy more tools based on machine learning or other forms of AI.”
Ben Marsh
Deputy Class Underwriter, Chaucer

The problem is not limited to small and medium sized law firms, with a number of the world’s largest law firms, including one of the Magic Circle firms, having suffered major cyber breaches in the past year. The National Cyber Security Centre has also reported that nearly-three quarters of UK’s Top 100 law firms have been impacted by cyber-attacks**.

As well as the reputational and operational damage that can come with a cyber-attack law firms could be subject to significant fines for poor custody of client information. The ICO can fine up to 4% of a company’s total annual worldwide turnover in the last financial year or £17.5 million, or whichever is higher, for negligent treatment of client data.

*Source: ICO

**Source: National Cyber Security Centre Cyber Threat Report 2023

Published on 26.02.2024