Gateley criticised for not protecting client data

Cyber attack: Gateley lost small proportion of data

A law firm specialising in data breach litigation has criticised Gateley for not keeping client data safe in the wake of the cyber-attack it suffered earlier this week.

Gateley, the first law firm to list in the UK, told investors on Wednesday that it was confident the attack was confined to just 0.2% of its data, but that this included client data.

It said those clients would be notified when the firm’s investigations “are further progressed”.

Jon Else, a partner at Cheshire law firm Hayes Connor, which specialises in data breach cases, said: “It’s a positive step that Gateley was able to identify the attack shortly after it happened but it still did not prevent the loss of client data.

“Consumers and businesses trust law firms with their data and Gateley should have ensured this.

“They should immediately contact their clients to confirm which steps they have put in place to ensure data isn’t accessed. Clients will want to know how the firm can ensure it doesn’t happen again and what they intend to do for those affected.”

Andy Barratt, UK managing director at cybersecurity consultancy Coalfire, said: “While this incident only relates to a small proportion of the data held by the firm, and appears to have been mopped up relatively quickly, both the SRA and Information Commissioner’s Office will express concerns given the sensitive nature of Gateley’s work.

“Data breaches can result in fines of up to 10% of a firm’s global earnings, which in Gateley’s case could be upward of £10m – something that will no doubt cause concern given its status as a PLC.

“More immediately worrying though, is the potential for case data to have been accessed given the unscrupulous nature of hacking groups, who won’t necessarily show evidence of where they’ve hidden it.

“With scenarios like the Panama Papers in the past leaking vast amounts of attorney-client information, it’s imperative that large law firms have robust security and privacy controls in place and a zero-trust security model that assumes compromise.”

Earlier this year, an analysis by US security firm AdvIntel showed how some ‘threat actors’ gained access to a firm and then sold that access on the dark web, while others went further and stole data to market it for sale.

“Depending on the legal documents offered, threat actors could use the information for such activities as fraud, espionage, and blackmail, all severe risks for an individual or firm that are directly rooted in the compromise of their legal services provider,” it said.

“The case of a ransomware attack against a law firm illustrates how these dangers come to a head. In the spring of 2020, a ransomware group launched an attack on the firm, likely by using a remote desktop protocol vulnerability to upload their malware.

“The gang stole a large amount of confidential client information and threatened to release it unless a large ransom was paid. Later, the group began auctioning off the data of individual clients.”

AdvIntel also highlighted the use of ‘botnet infections’ and compromised remote desktop protocol credentials to attack law firms.

    Readers Comments

  • Anon says:

    Let’s just hope Hayes Connors’ data security is tip-top and they never have a security breach #pridebeforeafall

  • Anon 2 says:

    Some Firm that says ‘they seek to get maximum compensation’ makes banal comments about Gateley ought to protect data. It is unlikely any serious law firm doesn’t invest in IT security and only uses major software products. Possibly Gateley tried – but if people are hacking Apple’s new models, the NI Health System, the main US gas pipeline – perhaps we all need more government cyber agency support to disrupt and hunt out such people. And No I don’t work or even know anyone at Gateley.

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


What challenges will the Bar face in the next five years?

As we look towards the end of 2021 and at how the Bar has adapted to the harsh realities of the pandemic, the question beckons as to what the future holds.

The rise of cyber-criminal threat for law firms since Covid-19

The global coronavirus pandemic, and the rise in people working from home, has unfortunately provoked a growth in cyber-crime. The UK government estimates that the cost of cyber-crime is £27bn per annum.

How to ensure your ATE cover is adequate security for costs

When does an after-the-event insurance policy provide adequate security for a defendant’s costs? The short answer is that it very much depends on the wording of the particular policy.

Loading animation