Cyber-attacks: Growing problem
The number of reported cyber breaches at UK law firms jumped by 36% in 2022/23 as hackers increasingly target the profession, new figures show.
The Information Commissioner’s Office (ICO) said there were 226 breaches in the year to 30 September 2023, compared to 166 the year before, according to speciality (re)insurance group Chaucer.
Chaucer said the number of attacks were driven “by a belief amongst hackers that law firms are particularly vulnerable to ransomware attacks and threats from the hackers to publish information stolen online”.
Ben Marsh, deputy class underwriter, explained: “Hackers expect that law firms will pay them to either unlock data they encrypt in ransomware attacks or pay ‘blackmail’ in exchange for the hackers not publishing the law firm’s stolen data online.”
“Attacks against law firms are part of that smaller group of cyber-attacks where the business is being actively targeted. That means that law firms need stronger cyber defences than the average business.
“Most cyber-attacks start almost randomly when a hacker’s software identifies an organisation with a flaw in their security.”
Mr Marsh said law firms were investing in cyber-defences and basic data protection such as segregating data across different departments, teams and individual clients.
“However, it is still quite common for a law firm to suffer a data breach through a phishing attack,” he said, adding: “Law firms, like all businesses will need to improve their defences as hackers deploy more tools based on machine learning or other forms of AI.”
Chaucer said the problem was not limited to small and medium sized law firms, with a number of the world’s largest law firms having suffered major cyber breaches in the past year. It cited the National Cyber Security Centre reporting that nearly-three quarters of UK’s top 100 law firms have been impacted by cyber-attacks.
As well as the reputational and operational damage that can come with a cyber-attack, law firms face significant fines for poor custody of client information.
The ICO can fine up to 4% of a company’s total annual worldwide turnover in the last financial year or £17.5 million, or whichever is higher, for negligent treatment of client data.
We reported last week [1] that the ICO has approved a law-specific certification scheme which it said would provide law firms, chambers and others with “certainty” when processing personal data.
Barrister Orlagh Kelly, chief executive of legal compliance business Briefed, said it would not stop hackers targeting lawyers, “but complying with it will ensure they are better protected and more able to manage a data breach”.
It would also be “a major mitigating factor” in the event of a breach and an ICO investigation.