The legal sector has become one of the most targeted industries for cybercriminals, and the evidence is alarming. Successful cyber attacks against UK law firms rose by 77% in a single year β from 538 to 954 incidents β according to figures cited by Lubbock Fine and PDA Legal. Meanwhile, data from the UK’s Information Commissioner’s Office (ICO) reveals that the number of data breaches in the legal sector grew by 39% between Q3 2023 and Q2 2024, with the personal data of nearly 7.9 million people compromised β equivalent to one in every eight members of the British population.
The reason is straightforward. Law firms hold an extraordinary concentration of sensitive assets: confidential client communications, privileged legal materials, financial transaction data, and personal identifying information spanning decades. That combination makes them high-value targets for ransomware operators, nation-state actors, and opportunistic criminals alike.
This article examines 15 of the most significant cyber attacks to have struck the legal industry β including landmark UK cases β analyses the attack types and vulnerabilities exploited, and provides practical guidance for firms looking to strengthen their defences before they become the next case study.
Why Law Firms Remain Prime Targets
Before examining specific attacks, it is worth understanding why the legal sector continues to attract such disproportionate attention from threat actors.
The data law firms hold is uniquely valuable
Unlike most businesses, law firms routinely handle data that is sensitive across multiple dimensions simultaneously. A single matter file may contain personal health records, financial information, corporate strategy details, and privileged legal advice β all in one place, often retained for years. For cybercriminals, that concentration of high-value data dramatically increases the return on a successful attack.
Regulatory and reputational pressure creates leverage
Ransomware operators understand that law firms face severe consequences for data exposure. A breach that results in client confidential information appearing on the dark web does not merely create a regulatory problem β it threatens the firm’s professional indemnity insurance, its SRA standing, and its ability to retain clients. That pressure makes firms more likely to pay ransoms quietly and less likely to disclose incidents publicly.
Security investment has not kept pace with threat growth
According to research cited by Infolegal, nearly 75% of the UK’s top 100 law firms have already experienced a cyber incident. Yet 35% of firms still lack adequate cyber mitigation planning, and the majority of mid-market firms operate without a dedicated security operations capability. The NCSC has published a specific Cyber Threat Report for the UK Legal Sector, underscoring just how seriously the national security establishment views the threat.
The 15 Most Significant Legal Industry Cyber Attacks
15. DPP Law Ltd β ICO Fine for Dark Web Exposure (2022/2025)
Attack type: Brute force / lateral movement
Location: Merseyside, UK
Cost: Β£60,000 ICO fine, plus remediation costs
Data accessed: 32GB of highly sensitive client data
In June 2022, DPP Law suffered a cyber attack that took down its IT systems for over a week. A third-party investigation found that attackers used a brute force method to access an administrator account, then moved laterally across the firm’s network to extract more than 32GB of data β including confidential case files that subsequently appeared on the dark web.
Critically, DPP did not initially recognise the data loss as a personal data breach and failed to report the incident to the ICO until 43 days after becoming aware, only discovering the dark web publication when contacted by the National Crime Agency. The ICO fined the firm Β£60,000 in 2025, citing the absence of multi-factor authentication, inadequate monitoring, and the delayed notification as aggravating factors.
Key lesson: Firms must report personal data breaches to the ICO within 72 hours of becoming aware. Legacy systems without modern authentication controls represent a critical and exploitable vulnerability.
14. Levales LLP β Health Data Breach (2024)
Attack type: Unauthorised access
Location: Hampshire, UK
Cost: Undisclosed, ICO enforcement action
Data accessed: Personal and health data of over 8,000 individuals
In 2024, Levales LLP β a criminal and military law firm β suffered a breach exposing the personal and health data of more than 8,000 individuals. The ICO found that the firm had failed to enable multi-factor authentication across its systems and had not adequately overseen the security practices of its third-party IT provider.
The case is a clear example of third-party supply chain risk, and of the specific vulnerability that arises when firms outsource IT management without retaining oversight of security controls.
Key lesson: Firms cannot outsource accountability for data security to their IT providers. Contractual obligations must be supported by active oversight and regular security audits.
13. NewLaw Legal / Targeted Campaign Against UK Firms (2024)
Attack type: Targeted credential and ransomware campaign
Location: Cardiff, UK, and London
Cost: Undisclosed
Data accessed: Undisclosed
Research published by Law Society Gazette in 2024 revealed a coordinated campaign targeting law firms and chambers across the UK. Security consultancy One Brightly Cyber identified evidence on the dark web of a campaign beginning 22 May 2024, during which one Magic Circle firm suffered 41 credential breaches in a single day. Cardiff-based NewLaw Legal became publicly known as a victim, with callers greeted by a message confirming a cybersecurity incident. London chambers Brick Court also confirmed it had been targeted.
The 2024 Professional Services Threat Landscape report by Trustwave warned that professional services firms “often become targets for nation-state threat actors,” adding an additional layer of concern beyond purely criminal motivation.
Key lesson: Credential-based attacks are increasingly coordinated and industry-specific. Password hygiene, multi-factor authentication, and dark web monitoring are no longer optional.
12. Tuckers Solicitors β Ransomware Attack (2020)
Attack type: Ransomware
Location: London, UK
Cost: Undisclosed
Data accessed: Almost one million files, including court bundles
The Tuckers Solicitors attack in 2020 saw nearly one million files encrypted, including highly sensitive court bundles β documents prepared for criminal proceedings. The firm notified the ICO and affected individuals. The case was notable for the nature of the data involved: court bundles contain some of the most sensitive personal and legal information that exists, including witness statements, medical evidence, and details of alleged offences.
The attack demonstrated that criminal law firms face a particularly acute risk, given that the data they handle is not only commercially sensitive but potentially dangerous to individuals if released.
Key lesson: The sensitivity of the data held β not merely its volume β determines the severity of a breach. Criminal law firms must apply security proportionate to their unique data risk profile.
11. Orrick, Herrington & Sutcliffe β Breach of Breach Victims’ Data (2023)
Attack type: Data exfiltration
Location: San Francisco, USA
Cost: Undisclosed; multiple class-action lawsuits
Data accessed: PII and health data of more than 637,000 individuals
In a particularly ironic attack, Orrick, Herrington & Sutcliffe β a firm that specialises in representing data breach victims β had its own systems compromised in March 2023. Threat actors accessed a file share storing sensitive documents relating to the firm’s data breach clients, including credit card information, login credentials, Social Security numbers, and medical data.
The breach resulted in multiple class-action lawsuits, illustrating that even firms with deep expertise in breach response are not immune to attack. The hack underscores that holding third-party breach data creates its own distinct risk category.
Key lesson: Firms that hold aggregated sensitive data on behalf of breach victims must treat that data as an especially high-value target and apply correspondingly higher levels of protection.
10. Grubman Shire Meiselas & Sacks β Celebrity Law Firm Ransomware (2020)
Attack type: Ransomware (REvil)
Location: New York, USA
Cost: Disputed; reportedly $365,000 USD paid
Data accessed: Sensitive entertainment industry client files
In May 2020, the REvil ransomware group targeted entertainment law firm Grubman Shire Meiselas & Sacks, leaking data relating to high-profile clients including Lady Gaga and threatening to release information about additional celebrities. The attackers initially demanded $21 million USD before doubling their demand to $42 million.
The case illustrated the reputational dimension of law firm ransomware attacks. Even where operational recovery is achievable, the threat of client data disclosure creates pressure that is entirely separate from the technical incident.
Key lesson: Ransomware attacks on law firms carry reputational risk that extends well beyond the firm itself to its clients. This dual leverage β operational disruption plus client data exposure β is precisely why law firms are such attractive targets.
9. Proskauer Rose β Unsecured Cloud Server (2023)
Attack type: Data breach via unsecured third-party cloud infrastructure
Location: New York, USA
Cost: Undisclosed
Data accessed: 184,000+ files including NDAs, financial deals, and M&A documents
In April 2023, Proskauer Rose disclosed that a third-party vendor had stored more than 184,000 files on an unsecured Microsoft Azure cloud server β publicly accessible to anyone who knew where to look. The data included non-disclosure agreements, financial deals, and documents relating to high-profile acquisitions. Critically, the data had been left exposed for six months before threat actors accessed it.
This was Proskauer Rose’s second significant breach, highlighting the compounding reputational and operational damage that results from repeated incidents.
Key lesson: Cloud security is not automatically provided by cloud platforms. Firms must actively configure and audit cloud storage security, and must establish clear contractual accountability with third-party vendors.
8. HWL Ebsworth β ALPHV/BlackCat Ransomware Attack (2023)
Attack type: Ransomware (ALPHV/BlackCat)
Location: Australia
Cost: Undisclosed
Data accessed: 4TB+ of data, 2.2 million files
In April 2023, one of Australia’s largest law firms suffered a major ransomware attack by the ALPHV/BlackCat group β a Ransomware-as-a-Service (RaaS) operation with links to Russian criminal networks. The firm, whose clients included ANZ bank and the Australian federal government, did not disclose the breach initially. Disclosure came when ALPHV/BlackCat published details on a dark web forum.
The stolen data included employee IDs, financial reports, accounting data, client documentation, credit card information, and a complete network map β the last of which is particularly valuable for enabling further attacks. In June 2023, 1.45TB of data was published publicly on the dark web.
Key lesson: RaaS groups operate with professional efficiency and actively use non-disclosure as leverage. Firms that delay or avoid disclosure may find attackers making the disclosure for them β on far worse terms.
7. Jenner & Block / Proskauer Rose β W-2 Phishing Attacks (2016/2017)
Attack type: Phishing (Business Email Compromise)
Location: USA
Cost: Undisclosed
People affected: 2,359
Two separate Business Email Compromise (BEC) attacks on major US firms resulted in the inadvertent transmission of employee W-2 tax forms to unauthorised recipients. In each case, an email that appeared to originate from a senior executive requested payroll data as part of what appeared to be a routine internal process.
These cases remain relevant because BEC attacks have grown significantly more sophisticated. AI-generated voice and video deepfakes now enable attackers to impersonate executives with alarming credibility, making the “verify via a second channel” principle more important than ever.
Key lesson: Business Email Compromise exploits authority and urgency. Firms must implement callback verification procedures for any request involving financial data, payroll information, or fund transfers.
6. GozNym Malware β Banking Credential Theft (2016)
Attack type: Phishing and banking malware
Location: Washington D.C. and Massachusetts, USA
Cost: $117,000 USD
People and companies affected: Undisclosed
Two undisclosed law firms were targeted using the GozNym banking malware, which combined a phishing email with keystroke logging to capture banking credentials. Criminals then transferred funds to accounts under their control, with one firm losing $76,000 and the other $41,000.
GozNym was part of a wider criminal network responsible for targeting thousands of organisations with the potential to cause over $100 million in losses. The network was subsequently dismantled through an international law enforcement operation coordinated by the US Department of Justice.
Key lesson: Financial transaction fraud targeting law firms is highly automated and scalable. Dual-authorisation controls on fund transfers and real-time anomaly detection are essential mitigations.
5. Moses Afonso Ryan Ltd. β Three-Month Ransomware Lockdown (2016)
Attack type: Ransomware
Location: Providence, Rhode Island, USA
Cost: $700,000+ USD
People and companies affected: Unknown
The ransomware attack on Moses Afonso Ryan Ltd. stands out not for the ransom paid, but for its operational duration. The firm’s billing system and documents were locked for three months, preventing the firm from billing clients or accessing financial records. The resulting loss of $700,000 in client billings illustrates that the operational cost of a ransomware attack can far exceed the ransom demand itself.
Key lesson: Business continuity planning is as important as prevention. Firms should model the cost of extended operational disruption β not just the ransom β when making security investment decisions.
4. Cravath Swaine & Moore / Weil Gotshal & Manges β Insider Trading Hack (2016)
Attack type: Malware for corporate espionage
Location: New York, USA
Cost: $4+ million USD in insider trading profits; $8.8 million SEC fine
People and companies affected: Partners at both firms; multiple public companies
Three Chinese nationals targeted two of New York’s most prestigious law firms with the specific intent of accessing M&A information to facilitate insider trading. By gaining unauthorised access to partners’ email, they read confidential communications about pending transactions and traded on that information across at least seven matters.
The SEC subsequently fined the perpetrators $8.8 million β more than double their trading profits. The case is significant because it established that law firm cyber espionage is not merely a data protection issue: it is a securities law issue with serious legal consequences for third parties.
Key lesson: M&A and corporate law firms hold information that is market-sensitive in addition to being confidential. The theft of that information creates cascading legal liability well beyond the firm itself.
3. DLA Piper β NotPetya Global Ransomware (2017)
Attack type: Ransomware/wiper (NotPetya)
Location: Ukraine (origin), global spread
Cost: Millions of dollars in overtime, rebuilding, and lost billable hours
Data accessed: No confirmed data loss; systems and email disabled globally
In June 2017, DLA Piper became one of the most prominent victims of the NotPetya malware, which originated in Ukraine and spread globally through the firm’s flat network structure. The attack disabled the firm’s telephone systems, email, and document access worldwide. The firm’s IT department subsequently worked 15,000 hours of paid overtime and was required to wipe and rebuild its entire Windows environment.
NotPetya is technically a wiper masquerading as ransomware β no decryption key was ever intended to be provided. It has been attributed to the Russian military intelligence service (GRU) and represents state-sponsored cyber warfare spilling into the private sector.
Key lesson: Nation-state cyber operations can devastate law firms as collateral damage. Firms must segment their networks, maintain offline backups, and have incident response plans that do not assume the availability of any digital infrastructure.
2. Appleby β The Paradise Papers (2016/2017)
Attack type: Hack or insider attack
Location: Bermuda
Cost: Undisclosed
People and companies affected: 120,000+; 13.4 million files exposed
In 2016, Bermuda-based offshore law firm Appleby suffered a major breach that resulted in 13.4 million files reaching the International Consortium of Investigative Journalists (ICIJ). The documents were reviewed by 96 media organisations and 381 journalists worldwide, collectively known as the Paradise Papers.
The breach followed the Panama Papers (see number one) and exposed similar patterns of offshore financial activity. Appleby denied insider involvement, but the volume of data and the manner of its distribution led many observers to question that assertion. The firm subsequently pursued legal action against The Guardian and BBC before reaching a confidential settlement.
Key lesson: The legal and reputational consequences of a major data breach can extend over years, encompassing litigation, regulatory scrutiny, and sustained media exposure. Incident response must account for this extended timeline.
1. Mossack Fonseca β The Panama Papers (2016)
Attack type: Hack or insider attack
Location: Panama City, Panama
Cost: Firm closed in March 2018
People and companies affected: 300,000+; 11.5 million documents
The Panama Papers remains the most consequential data breach in the history of the legal profession. In April 2016, approximately 11.5 million documents from Panamanian law firm Mossack Fonseca were obtained by journalists from SΓΌddeutsche Zeitung, who subsequently shared them with the ICIJ. A team of 107 media organisations in 76 countries reviewed the documents over the following weeks.
The documents detailed the widespread use of shell companies and complex offshore transactions to facilitate tax fraud and avoidance for clients including heads of state, politicians, and high-net-worth individuals. Governments around the world used the documents to recover more than $1.2 billion in unpaid taxes and penalties. Iceland’s prime minister resigned within days of publication. Mossack Fonseca itself closed its doors in March 2018 β a direct consequence of the breach.
The technical vector for the attack remains contested. Analysis by security researchers suggests the firm was running an outdated version of WordPress and an unpatched Drupal installation β basic vulnerabilities that an attacker or insider could have exploited without sophisticated tools.
Key lesson: The Panama Papers demonstrated that a single breach can end a law firm entirely. Basic patch management and vulnerability hygiene β unglamorous but essential β can prevent catastrophic outcomes.
The Attack Vectors Targeting Law Firms: A Pattern Analysis
Reviewing the attacks above reveals consistent patterns that firms can use to prioritise their defences.
Ransomware dominates, but data extortion is growing
Ransomware remains the most operationally disruptive attack type. However, Arctic Wolf’s 2026 Threat Report noted an 11x growth in data extortion incidents β where attackers exfiltrate data and threaten to publish it without necessarily encrypting systems. This approach is particularly effective against law firms, where client confidentiality is foundational.
Third-party and supply chain risk is underappreciated
Several of the attacks above β including Proskauer Rose (cloud misconfiguration) and Levales LLP (IT provider oversight failure) β originated not in the firm’s own systems but in the security failures of vendors. According to the ICO, firms remain accountable as data controllers regardless of where the breach occurs.
Phishing and Business Email Compromise continue to evolve
The phishing attacks described above would now be significantly harder to detect. AI tools allow criminals to craft personalised emails, deepfake voice calls, and β increasingly β video calls that convincingly impersonate colleagues or clients. Awareness training must evolve at the same pace as these techniques.
Insider threats are a significant and underreported vector
Research from NetDocuments found that more than half of data breaches at UK legal firms are caused by insiders, whether through accidental disclosure or deliberate action. Nearly 75% of all breaches involve some element of human error. Privileged access management, data loss prevention tools, and a security-aware culture are the primary mitigations.
What UK Law Firms Must Do Now
Meet your SRA and ICO obligations proactively
The SRA expects firms to take proactive steps to mitigate cyber risk and to report serious incidents. The ICO requires notification of personal data breaches within 72 hours. Firms that fail on either front face fines, enforcement action, and professional negligence exposure. The proposed Cyber Security and Resilience Bill will extend these obligations further, making compliance planning a board-level priority.
Implement the basics β they still matter
The Panama Papers may have been enabled by an unpatched WordPress plugin. The DPP Law breach was facilitated by the absence of multi-factor authentication. The foundational controls β MFA, patch management, network segmentation, and offline backups β prevent the majority of attacks and are the minimum standard that regulators and insurers now expect.
Invest in 24/7 monitoring and detection
Mid-market law firms cannot staff a Security Operations Centre internally. Managed Detection and Response (MDR) services provide the continuous monitoring, threat hunting, and incident response capability that these firms need β without the cost and recruitment challenge of building it in-house. The cost of a breach, measured in regulatory fines, lost billings, ransom payments, and reputational damage, consistently exceeds the investment required to prevent it.
Train your people β and keep training them
Nearly 75% of breaches involve human action, whether accidental or deliberate. Security awareness training must be continuous, realistic, and tailored to the specific social engineering techniques targeting law firms β including authority-based phishing, fake invoice fraud, and conveyancing fraud.
Plan for the incident, not just the prevention
Only 26% of law firms believe they are “very prepared” to respond to a cyber incident. Incident response planning β including who to call, what to preserve, how to notify the ICO, and how to communicate with clients β must be established before an attack, not during one.
Authoritative External Sources
- NCSC Cyber Threat Report: UK Legal Sector
- ICO: DPP Law Monetary Penalty Notice
- Infolegal: The Rising Threat to UK Solicitors
- PDA Legal: Law Firm Data Breach Statistics 2025
- Tripwire: UK Legal Sector Breach Analysis
The legal sector’s cyber risk is not diminishing β it is accelerating. The firms that recognise security as a core business function, rather than an IT overhead, will be the ones that retain client trust, maintain regulatory standing, and remain operational when an attack occurs. The question is not whether your firm will be targeted, but whether it will be prepared.
Like what you read?
