Number of cyber breaches at law firms up by 36% in a year

Cyber-attacks: Growing problem

The number of reported cyber breaches at UK law firms jumped by 36% in 2022/23 as hackers increasingly target the profession, new figures show.

The Information Commissioner’s Office (ICO) said there were 226 breaches in the year to 30 September 2023, compared to 166 the year before, according to speciality (re)insurance group Chaucer.

Chaucer said the number of attacks were driven “by a belief amongst hackers that law firms are particularly vulnerable to ransomware attacks and threats from the hackers to publish information stolen online”.

Ben Marsh, deputy class underwriter, explained: “Hackers expect that law firms will pay them to either unlock data they encrypt in ransomware attacks or pay ‘blackmail’ in exchange for the hackers not publishing the law firm’s stolen data online.”

“Attacks against law firms are part of that smaller group of cyber-attacks where the business is being actively targeted. That means that law firms need stronger cyber defences than the average business.

“Most cyber-attacks start almost randomly when a hacker’s software identifies an organisation with a flaw in their security.”

Mr Marsh said law firms were investing in cyber-defences and basic data protection such as segregating data across different departments, teams and individual clients.

“However, it is still quite common for a law firm to suffer a data breach through a phishing attack,” he said, adding: “Law firms, like all businesses will need to improve their defences as hackers deploy more tools based on machine learning or other forms of AI.”

Chaucer said the problem was not limited to small and medium sized law firms, with a number of the world’s largest law firms having suffered major cyber breaches in the past year. It cited the National Cyber Security Centre reporting that nearly-three quarters of UK’s top 100 law firms have been impacted by cyber-attacks.

As well as the reputational and operational damage that can come with a cyber-attack, law firms face significant fines for poor custody of client information.

The ICO can fine up to 4% of a company’s total annual worldwide turnover in the last financial year or £17.5 million, or whichever is higher, for negligent treatment of client data.

We reported last week that the ICO has approved a law-specific certification scheme which it said would provide law firms, chambers and others with “certainty” when processing personal data.

Barrister Orlagh Kelly, chief executive of legal compliance business Briefed, said it would not stop hackers targeting lawyers, “but complying with it will ensure they are better protected and more able to manage a data breach”.

It would also be “a major mitigating factor” in the event of a breach and an ICO investigation.

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Shocking figures suggest divorce lawyers need to do more for clients

There are so many areas where professional legal advice requires complementary financial planning and one that is too frequently overlooked is on separation or divorce.

Is it time to tune back into radio marketing?

How many people still listen to the radio? More than you might think, it seems. Official figures show that 88% of UK adults tuned in during the last quarter of 2023 for an average of 20.5 hours each week.

Use the tools available to stop doing the work you shouldn’t be doing anyway

We are increasingly taken for granted in the world of Do It Yourself, in which we’re required to do some of the work we have ostensibly paid for, such as in banking, travel and technology

Loading animation