Human Error and Insiders Expose Millions in UK Law Firm Data Breaches
UK law firms are falling victim to data breaches primarily because of insiders and human error, according to an analysis of data from the the Information Commissioner’s Office (ICO).
NetDocuments examined data from the ICO covering Q3 2022 to Q2 2023 and found that 60% of data breaches in the UK legal sector were the result of insider actions, the rest (40%) were from external actors.
In total, NetDocuments found that data from legal firms relating to 4.2 million people was compromised during the period analyzed.
Almost half of the cases (49%) impacted customers and 13% impacted employees.
The main types of data breached in the legal sector included:
- Basic personal information (49%)
- Economic and financial data (13%)
- Health data (10%)
- Official documents (10%)
“Law firms and legal institutions handle vast amounts of sensitive and confidential information, which puts them at increased risk of cyber-attacks,” commented David Hansen, VP, Compliance at NetDocuments.
“But it’s not just external threats like ransomware that law firms need to watch out for. Law firms must be vigilant to insider data breaches – whether intentional or accidental. This requires robust cybersecurity measures to govern access to documents, without hampering staff productivity.”
Common causes of data breaches in the legal sector, according to the IOC data analysis, included:
- Human error (i.e., verbal disclosure; failure to redact or use bcc; alteration of data; hardware misconfiguration; documents emailed or posted to wrong recipient) was the cause of 39% of incidents
- Sharing data with the wrong person (i.e., via email, post or verbally) occurred in 37% of incidents
- Phishing and ransomware attacks were responsible for 27% of attacks
- Data loss (i.e., loss/theft of device containing personal data, or of paperwork or data left in insecure location) accounted for 12% of incidents
UK Law Firms Suffer Data Breaches
Allen & Overy, of the UK’s “Magic Circle” law firms, suffered a suspected ransomware attack in November 2023.
Although the firm has not confirmed cause of the incident, one user on X (formerly Twitter) posted a screenshot appearing to show the firm’s listing on the leak site of prolific ransomware-as-a-service (RaaS) group LockBit.
Meanwhile, In November 2021, the UK’s largest conveyancing firm Simplify Group was the victim of a major cyber-attack that led to core business systems being taken offline.
This was reported to have cost the firm £6.8m ($8.6m) in business. The firm is said to have invested heavily to increase its cybersecurity resilience following the incident.
In 2023, the National Cyber Security Centre (NCSC) issued guidance and steps for legal firms to take to combat evolving cyber threats.
In the Cyber Threat Report: UK Legal Sector, the NCSC warned how the widespread adoption of hybrid working has increased the risks online.
It also highlighted how sensitive information and the sums of money firms often handle can make them particularly attractive targets to attackers.