3 min read

What Threats are Targeting Law Firms: The Biggest Cyber-attacks


Table of Content:



Cybersecurity in Law Firms


Law firms are a popular target for computer hackers. According to the American Bar Association, up to 42% of law firms with 100 employees or more have experienced a data breach. Legal firms collect a huge amount of personal information and are strictly required to adhere to attorney-client privilege. Any information a client shares with their attorney is to remain confidential, and a cyber-attack is no excuse to go back on this promise. The American Bar Association (ABA) states under rule 1.6 that "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." As a result, it's essential for law firms to invest in defending against cyber threats.



Biggest Cyber Threats for Law Firms


Within the legal sector, some cyber-attacks are more prominent than others. Here are some of the biggest cyber threats that affect law firms:


Ransomware: Most hackers are pursuing financial gain, and ransomware is the most popular way to do this. Hackers see the value of the information held in a law firm as a chance to extort the company for monetary gain. In a ransomware attack, whenever a company is hacked, the hackers will steal and encrypt as much of the company's information as possible and charge them a ransom fee for the safe return of that information. Given that the interruptions to business operations are costly and the threat of releasing that information to the public would have long-lasting repercussions, many firms will opt to pay out the ransom.


Insider Threats: An insider threat is anyone already inside the company network who may have malicious intent against the company. This can be former employees, disgruntled employees, employees looking to make extra money, etc. These threat actors want to use their access to company resources and data to either profit or hurt the company. For example, imagine if an intern could access information about a vital company case and be willing to sell that information to a competitor or the opposition. 


Phishing Attacks: This type of social engineering attack is where the hacker uses psychological manipulation to get the victim to perform an action that will hurt the company. For example, a hacker may email the company pretending to be a third party or another employee and request that sensitive information be sent to them. If the employee complies and sends the information, that will constitute a data breach for the law firm.



Biggest Cyber Attacks in The Legal Sector


1) Wengui v Clark Hill Law Firm 


In 2016 a Chinese entrepreneur and political dissident named Guo Wengui hired the international law firm Clark Hill to help him apply for political asylum in the US. Wengui informed Clark Hill that the Chinese government had targeted him with ongoing cyber attacks and that they would likely be targeted for helping him. As he predicted in September 2017, Clark Hill's servers were hacked, and Wengui and his wife's passport information and application for political asylum were leaked. After the hack, Clark hill tried to absolve itself of liability by dropping Wengui as a client. This resulted in a $50 million lawsuit from Wengui against Clark hill that is still ongoing.


2) Mossack Fonseca


One of the most impactful data breaches in the legal sector occurred back in 2016. An international law firm Mossack Fonseca was hacked, and more than 2.6 terabytes of data across 11.5 million documents, were leaked as a result. This breach wasn't notable just because of the amount of data leaked but because of the names associated with the breach. For example, this breach linked Russian President Vladimir Putin to $2 billion in offshore accounts.


3) Johnson & Bell


This is a unique case where the company wasn't precisely breached but is being sued for putting the client's information at risk. In this situation, the plaintiff is arguing that the defendant's web portal is vulnerable to attack, and by not fixing these vulnerabilities, they are putting client information at risk. This case was unique in that a company was getting sued without even having a data breach. Just the fact that they were putting client information at risk through poor security practices was enough to bring on a lawsuit.



Cybersecurity Tips for Companies in The Legal Sector



Apply Security Patches: The easiest way to reduce the number of vulnerabilities in your environment is to apply security patches regularly. As security vulnerabilities are found in software and hardware products, the vendors will typically release fixes that can be applied through patching. 


Do regular security assessments: Another way to defend your company from data breaches is to do regular security assessments. This helps you better understand the risk and vulnerabilities in your current environment. 


Invest in security solutions: Next on the list is investing in security solutions. At a minimum, you should have security solutions installed on all endpoint machines on your network and an email security solution to help filter out potential phishing attacks.


Security Awareness Training: Lastly, you should have security training for your employees on identifying social engineering attacks and what to do in response. The human element of your company is most prone to making mistakes, and you must invest in training your staff to be more security conscious.





Law firms remain a massive target for hackers as they contain precious, sensitive information that can be used to make a large profit. Law firms must understand that they can prime targets for cybercriminals and look for ways to protect themselves from these attacks.


This article gave five main tips for improving your company's cybersecurity posture. It includes applying security patches, doing regular security assessments, investing in security solutions, and providing your employees with security awareness training.