The biggest legal industry cyber attacks and trends
Law firm cyber attacks are on the rise. Learn about the threats, how they've evolving, and what you can do about them.
Protect your business today!
Get a QuoteTo say that law firm cyber attacks are now more common is a massive understatement.
As the American Bar Association (ABA) notes:
“Cybersecurity is a nemesis for law firms these days. We can’t seem to go a single day without hearing about some sort of security event such as a ransomware attack, data breach, newly discovered vulnerability, or some misuse of our information.”
There is no shortage of recent examples. Law firm Allen & Overy suffered a ransomware attack in November 2023 when hacking group LockBit threatened to publish data stolen from the firm’s files. Or there’s the ransomware group that took credit for accessing data at law firms Kirkland & Ellis, K&L Gates, and Proskauer Rose by exploiting a vulnerability in the file transfer software MOVEit. Even the ABA experienced a data breach when hackers accessed its network in March 2023 and took old usernames and passwords.
The takeaway is that law firm cyber attacks are everywhere, and no organization is immune to them. That’s why cybersecurity needs to be top-of-mind for everyone in the legal industry.
Wondering what cybersecurity issues your firm should be aware of? You’ve come to the right place. Here’s what you need to know about key law firm cyber attacks and cybersecurity trends.
The importance of cybersecurity for law firms
In today’s digital landscape, cybersecurity is essential for every business. Because, if the door is left open, cybercriminals will let themselves in.
Law firms are particularly susceptible to being targeted by hackers. That’s because of the gold mine of confidential information that lawyers store. With details on trade secrets, medical records, intellectual property, and all kinds of information and secrets that individuals would rather not have exposed, a hacker is drawn to a lawyer’s hard drive like a moth to a flame.
According to a 2023 survey by the ABA, 29% of law firms said they had experienced a security breach, while 19% reported not knowing if one had occurred.
And there’s a lot at risk for law firms that ignore cybersecurity. After all, lawyers have regulatory and ethical obligations to protect their clients’ information.
Under the ABA Rule 1.6 Confidentiality of Information, attorneys must make reasonable efforts to detect breaches and avoid client data loss. Failing to do so can result in an ethical violation under the ABA’s Formal Opinion 483 and land a firm in court facing a costly lawsuit for failing to protect client data.
Earlier this year, law firm Orrick, Herrington & Sutcliffe agreed to pay $8 million to settle class action claims stemming from a March 2023 data breach when cybercriminals accessed the names, addresses, dates of birth, and Social Security numbers of more than 600,000 individuals from files stored by the law firm. The hackers also accessed data on media treatments, diagnoses, and insurance claims details. In the class action lawsuits that followed the cyber attack, Orrick was accused of failing to inform victims about the breach until months after the incident.
As proof that any firm can be the target of a cyber attack it’s worth noting one of Orrick’s areas of expertise is providing legal counsel to companies that have experienced a cyber incident, including how to notify authorities and the affected individuals.
Houser LLP, Bryan Cave Leighton Paisner, Cadwalader, Wickersham & Taft, Smith Gambrell & Russell, and smaller firms Cohen Cleary and Spear Wilderman have also faced lawsuits over claims of inadequately protecting client data.
The ever-growing list of firms facing lawsuits alleging failure to protect client data proves the need for all firms to take cybersecurity seriously.
Common law firm cyber attacks
The main attack vectors used to target law firms include phishing schemes, ransomware, insider and third-party attacks, and DDoS attacks.
Here’s a detailed look at each cyber threat:
1. Phishing attacks
Phishing attacks have become one of the most common forms of cyber attacks. While phishing schemes can take various forms, such as a compromised attachment that someone downloads, a text message with a link to a fraudulent website, or a seemingly legitimate email that asks for important credentials, the end goal is always the same: to get the user to provide valuable information.
A common phishing scheme used to target lawyers involves cybercriminals impersonating clients and requesting wire transfers.
2. Ransomware
With ransomware attacks, law firms are denied access to their files until a ransom is paid.
How common are ransomware attacks? Cybercriminals can now subscribe to “ransomware-as-a-service” (RaaS) providers, which allows malware developers to sell pre-developed ransomware to other threat actors in exchange for a percentage of successful ransom payments.
Cybercriminals that use ransomware target organizations with sensitive data that is valuable to others and can be exploited. Every lawyer knows how important their client files are, and, unfortunately, so do ransomware deployers.
3. Insider and third-party attacks
Did you know that it’s not only your systems and practices that could put your firm at risk but also those of external vendors? Third-party exposure has become more common, with 29% of all data breaches in 2023 being caused by a third-party attack.
An insider cyber attack is when an individual inside an organization is the cause of a cyber incident, whether intentional or not. An example of an unintentional insider attack would be if an employee at your firm fell for a phishing scam or their personal device with sensitive client information was hacked. On the other hand, an intentional insider attack would be if an employee deliberately jeopardized or stole confidential client information.
4. DDoS attacks
With a DDoS (distributed denial of service) attack, hackers don’t breach a network in the same way as other cyber incidents. Instead, they overwhelm a network or server with so much fake traffic that your system can’t process things quickly enough. This prevents the system from allowing genuine user requests. The result can be crippling to business operations.
If not noticed and remedied quickly, a DDoS attack could cause existing clients to question your capabilities and professionalism and see your firm lose business from potential clients.
Current and emerging cybersecurity trends in the legal sector
If a law firm’s expertise isn’t in the cyber realm, why should they care about understanding cybersecurity happenings? Because, as the ABA states, “you can’t fix it if you don’t know it’s broken.”
Here’s a look at some current and emerging cybersecurity trends impacting the legal sector.
1. Artificial intelligence
Whether or not your firm uses generative artificial intelligence (AI), you’ve undoubtedly heard about the opportunities AI offers law firms. AI tools can be used to review documents, improve research and document quality control, enhance client relations, and detect potential risks earlier, among other offerings. It’s estimated that 44% of legal work could be automated with AI.
But there’s a double-edged sword with AI. Not only is AI bringing opportunities for law firms, but it’s also helping cybercriminals up their game by creating realistic content for elaborate attacks. Consider including AI detectors when investing in AI tools to benefit your firm.
2. Deepfakes
OK, yes, this is a form of AI, but the problem with deepfakes is becoming so prevalent that it warrants being singled out.
Deepfakes are created with AI to produce manipulated images, videos, or audio recordings of real individuals doing or saying something that is unreal. According to a report by KPMG, the growing accessibility of AI “enables virtually anyone to create highly realistic fake content,” with the number of deepfake videos available online increasing by a staggering 900% annually.
A prime example of what deepfakes can do involves a Hong Kong finance worker who joined a video call where every other participant, including the company’s CFO, was a deepfake. The employee was tricked into wiring $25 million to cybercriminals.
Learning how to spot deepfakes (there are some Continuing Legal Education training courses on deepfakes), as well as using a unique code word to verify clients in communications, can help combat this cyber threat.
3. Cybersecurity knowledge gap
Employees can be a law firm’s greatest defense against and greatest risk for cyber attacks. That’s why a growing trend in cybersecurity is an emphasis on training staff.
The ABA 2022 TechReport found that only 32% of solo attorneys and 64% of firms with two to nine lawyers have cybersecurity training. Cybersecurity awareness training is crucial to the success of any law firm and should be conducted at least once a year (or more if the time and budget allow).
4. Increase in ransomware attacks
Unfortunately, the ransomware attack surge is far from over. Cyber experts predict that thanks to RaaS, ransomware attacks will become more common and substantially easier for fraudsters to launch. It’s estimated that ransomware will cost victims more than $265 billion annually by 2031. As a result, ransomware attack prevention and recovery plans should be part of every law firm’s cyber defense toolkit.
Cybersecurity best practices for law firms
That’s a lot of cyber doom and gloom we’ve covered. And we don’t blame you if you’re feeling overwhelmed about what’s to come with cyber risks. While there is no surefire way to eliminate the risk of a cyber incident (if only!), the good news is that there are many measures your firm can take to protect against attacks.
- Encryption: Encrypt anything and everything. Encryption is a cost-effective way for law firms to safeguard data from threat actors.
- Enhance password security: Unique and strong passwords that are regularly changed are the first line of defense against law firm cyber attacks. Just make sure the passwords aren’t stored anywhere digitally or physically that others can access.
- Use multi-factor authentication: Multi-factor authentication could have helped avoid countless data breaches in recent years. Make using it a requirement at your firm, along with strong passwords.
- Regularly review permissions: Not everyone at your firm needs access to all files. Instead, determine the minimum level of access each employee needs. Permissions should be reviewed and re-evaluated regularly.
- Avoid data transfers: Keeping sensitive data on personal devices significantly increases cyber attack vulnerability. Avoid transferring data between business and personal devices.
- Create an incident response plan: A cyber incident response plan outlines how your firm will handle all stages of an attack, from detection and containment to remediation and recovery.
- Get insured: Having the right insurance coverage is vital for combating law firm cyber attacks. Not having cyber insurance could put your firm’s longevity at risk due to the financial burden that comes in the wake of any cyber incident. (The global average data breach cost is now $4.88 million.) At Embroker, we have tailored insurance solutions that can offer protection in minutes after applying.
No matter the size or location of your law practice or your area of specialization, every firm faces the risk of cyber threats. That’s why it’s crucial to make cybersecurity a priority by staying informed about cyber trends and having plans to mitigate and respond to law firm cyber attacks. Being proactive with cybersecurity will help safeguard your firm’s future. Just be sure to keep the words from the ABA in mind: you can’t fix it if you don’t know it’s broken.