Cyber attacks on UK law firms surge

The UK legal sector is confronting a significant rise in cyber attacks, with incidents up by 77% over the past year. Lubbock Fine, chartered accountants and business advisers, reports that the number of successful attacks on law firms jumped from 538 to 954. This alarming trend highlights the increasing vulnerability of law firms as hackers target their sensitive client data.

Hackers view law firms as lucrative targets, primarily due to the highly sensitive personal and financial information they hold. Mark Turner, Partner at Lubbock Fine, emphasised this risk, stating, “The data that law firms hold on behalf of their clients is often highly sensitive – and therefore, valuable if you intend to blackmail a law firm.” This data, if exposed, can severely damage a firm’s reputation and client relationships, making such attacks particularly devastating.

The types of sensitive data at risk vary, from personal details in divorce cases at smaller firms to critical information on high-profile litigation and mergers and acquisitions at larger City firms. The impact of these breaches is felt across the spectrum, with even some of the world’s largest law firms, including a Magic Circle firm, suffering significant cyber breaches in the past year. The National Cyber Security Centre (NCSC) reports that nearly three-quarters of the UK’s Top 100 law firms have been impacted by cyber-attacks, illustrating the widespread and persistent nature of this threat.

Brian Boyd, head of technical delivery at i-confidential, further commented on the issue, noting, “This study highlights that law firms are facing an increase in cyber attacks today, which is putting them and their clients at serious risk. Attackers know they can monetise from stealing sensitive information held by law firms either through ransomware or by selling it on the dark web.”

Brian Boyd also pointed out the particular susceptibility of law firms to Business Email Compromise (BEC) attacks. In these incidents, criminals trick employees into sending large sums of money into fraudulent accounts by spoofing the email address of a colleague. “Law firms are especially susceptible to BEC attacks because they often transfer large sums of money to clients on a regular basis. The requests will be made to look like they have been sent by another employee and will often request an urgent transfer, which results in the email being actioned and law firms losing millions of pounds,” Brian Boyd explained.

The financial and reputational risks for law firms are substantial. The Information Commissioner’s Office (ICO) can impose fines of up to 4% of a company’s total annual worldwide turnover or £17.5 million, whichever is higher, for negligent data protection practices. Given these high stakes, law firms are increasingly investing in stronger cyber defenses.

According to Mark Turner, “With law firms being actively targeted by hackers, they need stronger cyber defenses than most companies.” Brian Boyd echoed this sentiment, emphasising the need for proactive measures, including employee training on phishing and BEC attacks, verifying all financial transactions verbally, and adopting stringent security controls to guard against ransomware and malware. He also stressed the importance of vetting suppliers to ensure that criminals cannot exploit weak links in the supply chain. 

As cyber threats continue to evolve, especially with the growing use of AI by hackers, law firms must continuously adapt their defenses. The surge in cyber attacks on UK law firms underscores the urgent need for robust, adaptive cybersecurity measures to protect sensitive client data and maintain operational integrity.