Gateley criticised for not protecting client data

Cyber attack: Gateley lost small proportion of data

A law firm specialising in data breach litigation has criticised Gateley for not keeping client data safe in the wake of the cyber-attack it suffered earlier this week.

Gateley, the first law firm to list in the UK, told investors on Wednesday that it was confident the attack was confined to just 0.2% of its data, but that this included client data.

It said those clients would be notified when the firm’s investigations “are further progressed”.

Jon Else, a partner at Cheshire law firm Hayes Connor, which specialises in data breach cases, said: “It’s a positive step that Gateley was able to identify the attack shortly after it happened but it still did not prevent the loss of client data.

“Consumers and businesses trust law firms with their data and Gateley should have ensured this.

“They should immediately contact their clients to confirm which steps they have put in place to ensure data isn’t accessed. Clients will want to know how the firm can ensure it doesn’t happen again and what they intend to do for those affected.”

Andy Barratt, UK managing director at cybersecurity consultancy Coalfire, said: “While this incident only relates to a small proportion of the data held by the firm, and appears to have been mopped up relatively quickly, both the SRA and Information Commissioner’s Office will express concerns given the sensitive nature of Gateley’s work.

“Data breaches can result in fines of up to 10% of a firm’s global earnings, which in Gateley’s case could be upward of £10m – something that will no doubt cause concern given its status as a PLC.

“More immediately worrying though, is the potential for case data to have been accessed given the unscrupulous nature of hacking groups, who won’t necessarily show evidence of where they’ve hidden it.

“With scenarios like the Panama Papers in the past leaking vast amounts of attorney-client information, it’s imperative that large law firms have robust security and privacy controls in place and a zero-trust security model that assumes compromise.”

Earlier this year, an analysis by US security firm AdvIntel showed how some ‘threat actors’ gained access to a firm and then sold that access on the dark web, while others went further and stole data to market it for sale.

“Depending on the legal documents offered, threat actors could use the information for such activities as fraud, espionage, and blackmail, all severe risks for an individual or firm that are directly rooted in the compromise of their legal services provider,” it said.

“The case of a ransomware attack against a law firm illustrates how these dangers come to a head. In the spring of 2020, a ransomware group launched an attack on the firm, likely by using a remote desktop protocol vulnerability to upload their malware.

“The gang stole a large amount of confidential client information and threatened to release it unless a large ransom was paid. Later, the group began auctioning off the data of individual clients.”

AdvIntel also highlighted the use of ‘botnet infections’ and compromised remote desktop protocol credentials to attack law firms.

    Readers Comments

  • Anon says:

    Let’s just hope Hayes Connors’ data security is tip-top and they never have a security breach #pridebeforeafall

  • Anon 2 says:

    Some Firm that says ‘they seek to get maximum compensation’ makes banal comments about Gateley ought to protect data. It is unlikely any serious law firm doesn’t invest in IT security and only uses major software products. Possibly Gateley tried – but if people are hacking Apple’s new models, the NI Health System, the main US gas pipeline – perhaps we all need more government cyber agency support to disrupt and hunt out such people. And No I don’t work or even know anyone at Gateley.

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Microsoft 365’s dirty little secret

Microsoft 365 (formerly called Office 365) is one of the most widely used cloud services in the world, controlling around 48% of the market share for major office suites.

A new route to practice rights for chartered legal executives

Following approval from the Legal Services Board in May 2022, CILEx Regulation has launched an alternative route for chartered legal executives to obtain independent practice rights.

NFTs, the courts and the role of injunctions

In May, news broke that a non-fungible token was the subject of a successful injunction made by the Singapore High Court. The NFT in question is part of the very valuable Bored Ape Yacht Club series.

Loading animation