A law firm specialising in data breach litigation has criticised Gateley for not keeping client data safe in the wake of the cyber-attack it suffered earlier this week.
Gateley, the first law firm to list in the UK, told investors on Wednesday that it was confident the attack was confined to just 0.2% of its data, but that this included client data.
It said those clients would be notified when the firm’s investigations “are further progressed”.
Jon Else, a partner at Cheshire law firm Hayes Connor, which specialises in data breach cases, said: “It’s a positive step that Gateley was able to identify the attack shortly after it happened but it still did not prevent the loss of client data.
“Consumers and businesses trust law firms with their data and Gateley should have ensured this.
“They should immediately contact their clients to confirm which steps they have put in place to ensure data isn’t accessed. Clients will want to know how the firm can ensure it doesn’t happen again and what they intend to do for those affected.”
Andy Barratt, UK managing director at cybersecurity consultancy Coalfire, said: “While this incident only relates to a small proportion of the data held by the firm, and appears to have been mopped up relatively quickly, both the SRA and Information Commissioner’s Office will express concerns given the sensitive nature of Gateley’s work.
“Data breaches can result in fines of up to 10% of a firm’s global earnings, which in Gateley’s case could be upward of £10m – something that will no doubt cause concern given its status as a PLC.
“More immediately worrying though, is the potential for case data to have been accessed given the unscrupulous nature of hacking groups, who won’t necessarily show evidence of where they’ve hidden it.
“With scenarios like the Panama Papers in the past leaking vast amounts of attorney-client information, it’s imperative that large law firms have robust security and privacy controls in place and a zero-trust security model that assumes compromise.”
Earlier this year, an analysis by US security firm AdvIntel showed how some ‘threat actors’ gained access to a firm and then sold that access on the dark web, while others went further and stole data to market it for sale.
“Depending on the legal documents offered, threat actors could use the information for such activities as fraud, espionage, and blackmail, all severe risks for an individual or firm that are directly rooted in the compromise of their legal services provider,” it said.
“The case of a ransomware attack against a law firm illustrates how these dangers come to a head. In the spring of 2020, a ransomware group launched an attack on the firm, likely by using a remote desktop protocol vulnerability to upload their malware.
“The gang stole a large amount of confidential client information and threatened to release it unless a large ransom was paid. Later, the group began auctioning off the data of individual clients.”
AdvIntel also highlighted the use of ‘botnet infections’ and compromised remote desktop protocol credentials to attack law firms.