Research Reveals Data Breaches On The Rise at UK Law Firms

British legal professionals have seen a “significant surge” in data breaches, according to new research from NetDocuments, a firm that provides a cloud-based content management platform for the legal sector.

The firm has described how it analysed data from the UK regulator the Information Commissioner’s Office (ICO), and discovered that the number of data breaches in the country’s legal sector had grown by 39% between Q3 2023 and Q2 2024 to 2,284 cases, compared to 1,633 the same period 12 months earlier.

Furthermore, the company found that data related to 7.9 million people had been compromised, a figure which amounts to one in every eight members of the British population.

Interestingly, the research from NetDocuments split data breaches into two categories: internal and external.

Internal data breaches are caused by people inside your company – such as your staff, contractors, or other internal workers. Typically such data breaches occur because access privileges are abused – either by accident or with malicious intent.

For instance, a member of staff might intentionally steal sensitive data for their own personal gain, or a worker may accidentally post confidential information in a public forum or email it to the wrong person.

External data breaches, meanwhile, are initiated by people outside the organisation – malicious hackers, cybercriminals, or business rivals seeking a competitive advantage.

It is not uncommon for external data breaches to begin with a phishing email, or exploitation of vulnerabilities on the network.

According to NetDocuments, external breaches jumped from 40% of all incidents in the past 12 months to 50%, with phishing attacks being the most common threat encountered by legal firms (56% of all external attacks.)

Of course, that still means insider breaches account for half of all reported data breach incidents, with over a third (39%) of those blamed on human error.

Regardless of whether a data breach is internal or external, it can still have serious consequences for any individuals or organisations who have their data leaked, and for the law firm that has seen sensitive information exposed.

The consequences can include reputational damage, financial loss, and – of course – legal consequences.

One example of a law firm being hit by an external data breach occurred in November 2021 when the UK’s largest conveyancing business, Simplify Group, was hit by an attack that cost the firm almost seven million pounds plus lost business.

Meanwhile, in November 2023, the notorious LockBit ransomware group announced that it had stolen data from London-headquartered Allen & Overy.

The UK’s National Cyber Security Centre (NCSC) has warned the legal sector that it is a particularly attractive target for malicious cybercriminals because it regularly handles large amounts of money and highly sensitive information.

Looking forward, NetDocuments warns that artificial intelligence will bring new challenges to legal firms. While there is no doubt that AI can enhance productivity, it is clear that adequate safeguards must be put in place to prevent it from contributing to data breaches of sensitive information.

“Firms handle sensitive documents every hour of every day, so maintaining security when introducing new technologies must remain the highest priority,” said NetDocuments’s David Hansen. “Given the uptick in AI adoption, guardrails that mitigate against human error are also imperative. AI has the power to drive productivity and efficiency in the legal sector, but it must not compromise data security.”

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.