UK Legal Firms Facing Unrelenting Cyber Onslaught

In the aftermath of our previous blog on cyber-attacks targeting the legal sector in the UK, we delve deeper into the latest assaults, shedding light on the dire consequences and offering insights on bolstering cyber defences to avert severe business disruptions. This article unveils recent attacks on law firms and the high stakes for failing to take adequate safety measures.

The Allen & Overy Saga: A High-Profile Confrontation

The most high-profile recent victim is Allen & Overy – the UK “magic circle” law firm that fell prey to the notorious Russian ransomware group Lockbit. This London-based legal giant, founded in 1930, is the 7th largest integrated law firm globally, with approximately 5,500 employees and 500 partners across 31 nations. Allen & Overy was in the process of merging with Sherman & Sterling and faced a cyber onslaught that threatened to expose sensitive data. The merger was to create a 4,000-lawyer firm with 800 partners across 48 offices by May 2024. Lockbit added Allen & Overy to its victim list in early November 2023, claiming they had acquired their data and planned to publish it soon.

Prompt action by external cybersecurity experts helped isolate and contain the breach, sparing the firm’s core system data, email, and document management systems. Weeks later, as forensic investigations and remediations unfold, the firm continues to operate with limited disruption, underscoring the importance of swift and well-planned responses to such threats. The speed of response by Allen & Overy and the additional remediation and planning after the attack were critical to avoid catastrophic data loss.

Dire Warnings for Legal Businesses

Lockbit, the group behind the Allen & Overy attack, should be considered a significant threat. The National Cyber Security Centre (NCSC) labelled Lockbit as the most deployed ransomware in 2022, emphasising the devastating impact of their attacks. NCSC Director of Operations Paul Chichester urges organisations to comprehend the severe consequences of ransomware assaults on operations, finances, and reputation: “It is essential for organisations to understand the serious consequences that ransomware attacks can have on their operations, finances, and reputation.”

Since January 2020, entities of various sizes operating within critical infrastructure sectors such as finance, food and agriculture, education, and healthcare have experienced attacks from Lockbit affiliates utilising diverse tactics and methods. The wave of Lockbit’s widespread attacks across these critical infrastructure sectors reinforces the urgency for heightened cybersecurity measures.

Legal Sector in the Crosshairs

Legal firms have long been prime targets due to their safeguarding of sensitive client data. Past incidents, such as the £5 million ransomware attack on Ince in July 2022 and the 2021 assault on Simplify Group, the UK’s largest conveyancing company, highlight the sector’s vulnerability.

Simplify Group’s breach, resulting in a month-long system shutdown, showcasing the significant financial implications and potential fallout for law firms facing cyber threats. Vendors and buyers were left in turmoil for up to a month, unable to finalise any transactions. As for affected data, current and former staff members from conveyancing firms using Simplify were impacted by this breach. However, there is no indication customer data was stolen. Simplify had a class action lawsuit filed against them by other law firms on behalf of outraged clients, resulting in potential financial liability and implications.

Multi-Million Costs and Business Implications

Simplify Group’s annual report reveals the attack’s direct costs amounting to £7.3 million, partially covered by insurance. The incident prompted discussions with capital providers to safeguard the company’s long-term funding and capital structure. Indirect costs, including a reduction in client intake for ten weeks while remediation occurred, profoundly impacted the firm’s financial performance.

This severely affected the results for that financial year, when the company was otherwise on track to complete a record number of cases. Shareholders injected £15 million for post-breach recovery, underscoring businesses’ substantial challenges after cyber incidents.

Regulatory Scrutiny and Urgency for Preparedness

While Simplify immediately engaged a leading cyber response team, being prepared ahead of time is necessary in this dangerous era of cyber threats. In August 2023, the ICO reprimanded Durham law firm Swinburne Snowball & Jackson (SSJ) for not having sufficient protections in place and not being aware it needed to report data breaches to the ICO.

An employee’s Outlook email account was targeted in a spear phishing attack, impacting payments to beneficiaries of a probate case. The first breach was on January 11, 2021, but SSJ only became aware three days later, and the account’s password was changed on January 15. Following the incident, SSJ notified its data insurer, the Solicitors Regulation Authority (SRA), and the ICO after 11 days. SSJ faced repercussions for lacking sufficient protections and delayed reporting of that spear phishing attack.

SSJ did not have multi-factor authentication (MFA) in place for the account, claiming that its IT contractors had not previously recommended doing so despite various bodies, including the National Cyber Security Centre (NCSC), SRA, and Law Society, advocating for strong authentication measures.

The ICO also criticised SSJ for failing to comply with GDPR obligations regarding secure personal data processing to ensure ongoing system security and confidentiality and urged training while providing standard non-compulsory recommendations on governance, identity and access controls, technical control selection, staff training, and supply chain security. They warned, “If further information relating to this matter comes to light, or if any further incidents or complaints are reported to us, further regulatory action may be considered.”

A Call to Action: Strengthening Cyber Defences

The SSJ case is a stark reminder of the repercussions of inadequate cybersecurity measures, while the Allen & Overy incident showcases the imperative of being proactive. At Thrive, we specialise in fortifying businesses against data theft risks. Contact us today to ensure your clients’ data remains secure in the face of evolving cyber threats.