Lessons from recent breaches
Rising cyber threats in the UK’s legal sector
In 2022, the Law Society, in collaboration with the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC), issued a joint statement to help legal professionals advise clients who might become victims of cyber security incidents.
However, as the recent breach at the Legal Aid Agency highlights, knowing how to advise on a breach is one thing—experiencing it is another.
What was the Legal Aid Agency breach?
The Legal Aid Agency, an executive agency sponsored by the Ministry of Justice (MoJ) and responsible for administering legal aid funding, has suffered a significant data breach. Hackers gained access to and downloaded thousands, if not millions, of personal records dating back to 2010. The data exposed includes contact details, dates of birth, national ID numbers, criminal histories, and sensitive financial information such as contribution amounts, debts, and payments.
This breach comes just weeks after cyberattacks targeted and caused havoc among three major UK retailers — Marks & Spencer, The Co-op, and Harrods. These incidents are all part of a broader, escalating trend of cybersecurity breaches across various sectors, in which cyberattacks are becoming more prevalent and organisations are increasingly falling victim to cybercriminals. Notably, these recent attacks also underscore alarming gaps in cyber resilience among UK organisations.
The growing cyber risk in the legal sector
By a twist of fate, since that joint statement in 2022, data breaches in the legal sector have surged, with law firms themselves experiencing a 77% increase in successful cyberattacks, from 538 in 2022/23 to 954 in 2023/24. The financial and operational repercussions of these breaches are significant. Law firms not only face regulatory fines and reputational damage, but they also suffer substantial losses in billable hours as they work to address the aftermath of cyber incidents. Additionally, some firms may face lawsuits or further legal complications related to the breach.
This surge in cyber attacks is attributed to the significant value of the sensitive personal and financial information that organisations in the legal sector routinely handle. The nature of this information makes them particularly attractive to cyber criminals who seek to exploit this for financial gain through ransomware attacks and blackmail schemes, as well as using the information to go on and commit fraud. Phishing attacks also remain a top threat for organisations, accounting for 56% of all cyberattacks on law firms.
Why is the legal sector vulnerable?
There is a concerning trend that UK law firms are not taking cyber security seriously enough. Our Law Firm Benchmarking 2024 report found that while 97% of law firms considered cyber security a high priority, only 32% of firms provided regular training to their staff. The lack of cyber security awareness at both firm and board levels is also concerning, with 60% identifying awareness as a significant priority for improvement. With the ever-increasing threat of cyber attacks, organisations in the legal sector need to ensure that their people have the knowledge to spot potential threats.
In response to the attack on the Legal Aid Agency, a MoJ source attributed the breach to “long years of neglect and mismanagement of the justice system under the last government.” The source further stated, “they knew about the vulnerabilities of the Legal Aid Agency digital systems, but did not act.” Similarly, law firms Swinburne, Snowball & Jackson Solicitors and DPP Law Ltd have been reprimanded by the ICO for lacking adequate cyber security measures, which led to substantial data breaches. DPP Law Ltd was also fined £60,000 for its failure to address cyber security. Evidently, ensuring cyber resilience is not just a technical issue, but also a governance and cultural one.
The recent prevalence of cyber attacks should serve as a wake-up call to UK organisations across all sectors. As these incidents continue to rise, strengthening cybersecurity defences and improving response strategies has never been more urgent. While no organisation can 100% protect itself from a cyber attack, how we manage and respond to incidents can be significant, and it is entirely within our control.
If you would like some further advice or support, our Forensic Services team is always available for a conversation to help ensure your organisation is effectively managing cyber risks and is prepared to respond in the event of an incident.
