Legal professionals face a growing number of cyber threats. Cyberattacks on law firms threaten the integrity of their intellectual property, trade secrets, and confidential client information. With law firm data breaches rising and continued digital transformation across the legal industry, firms must strengthen their security posture as they modernize to safeguard sensitive information.
- Kinds of Law Firm Data at Risk
- How Law Firms Get Hacked
- Key Cybersecurity Vulnerabilities
- Top 5 Major Law Firm Data Breaches
Law Firm Data Breaches Are on the Rise
Given the wealth of sensitive information they possess, law firms are prime targets for cyberattacks. Recent data has shown that these types of data breaches have been rising. According to the American Bar Association (ABA), 29% of law firms reported a security breach in 2023, which is up from 27% one year prior.
These cyberattacks and data breaches create devastating effects—both for the firms themselves and their clients. From a financial standpoint, breaches disrupt operations, preventing firms from completing billable work and generating income. This is in addition to the cost of recovering lost data, paying regulatory fines, investigating the incident, and implementing new security measures.
Not to mention, firms can take a significant reputational hit after a breach if clients don’t feel as if the firm can protect their private information. Affected firms may struggle to earn new business, creating even further financial loss.
Keep in Compliance with Data Protection Regulations
As cyber threats evolve, compliance with data protection regulations safeguards firms against financial and reputational impacts as well as legal repercussions. In addition to the typical legal and ethical obligations, law firms handling the personal data of California residents must also comply with the California Consumer Privacy Act (CCPA).
The CCPA grants consumers rights over their personal data, including the rights to access, delete, and opt out of data sales. A breach involving California residents’ data could lead to CCPA obligations, including potential fines or lawsuits. To meet CCPA standards, firms must protect data rigorously, notify clients promptly of breaches, and respond to data rights requests.
imageOne can help you protect your print data with Document Security Services.
What Kinds of Law Firm Data Are Breached?
When targeting law firms, cybercriminals are after a wide range of information they can exploit for personal gain, including:
- Client records
- Case details
- Financial information
- Internal communications
Should this data fall into the wrong hands, perpetrators can hold it as ransom, demanding financial compensation in exchange for its safe return. Alternatively, they may sell the information on the dark web, making clients vulnerable to further attacks.
Computers that store sensitive data locally are common targets for attackers, as are cloud-based applications like document storage or messaging software. However, other office devices–like printers and copiers–also store important data that could be compromised, and they’re often overlooked as potential security threats. Ensuring your printers are secure must be a key consideration in your firm’s cybersecurity framework.
How Law Firms Get Hacked
Cybercriminals employ various attack vectors to gain unauthorized access to sensitive firm and client data. They exploit vulnerabilities in seemingly secure systems, such as printers, to gain entry. If these systems are not adequately secured, attackers may gain access to the rest of the firm’s network and devices.
Organizations make several common security mistakes that often lead to successful breaches. These include using default security settings on print devices, setting weak passwords, ignoring firmware updates, and neglecting proper employee training.
Common Types of Law Firm Cyberattacks
In our discussion of cybersecurity and law firms, it’s important to take a closer look at the specific mechanisms perpetrators use to carry out their cyberattacks:
- Man-in-the-Middle Attacks: Attackers use network vulnerabilities to intercept network communications before reaching the intended destination.
- Phishing: A social engineering tactic where cybercriminals deceive individuals into thinking they’re in contact with a legitimate source, convincing them to divulge personal or sensitive information.
- Malware: Short for malicious software, malware is corrupt software cybercriminals use to disrupt networks or devices, steal private information, and interfere with regular functions.
- Ransomware: A specific type of malware that keeps users from accessing certain files, systems, or networks without paying a ransom.
Key Law Firm Cybersecurity Vulnerabilities
It may surprise some that printers represent one of the highest cyber risks. In print and digital environments, law firm data security is threatened by several key vulnerabilities, including:
- Poor document management workflows
- Outdated software and hardware
- Weak passwords
- Improper employee training
Failing to address these threats could lead firms to succumb to common IT security myths, leaving their systems vulnerable to devastating cybersecurity incidents.
Poor Document Management Workflows
Firms must find ways to secure both print and digital documents, as they can become security vulnerabilities if not managed properly. Leaving documents with sensitive information on the printer tray, inadvertently sharing them with clients, or leaving data on the printer’s hard drive can be critical mistakes, potentially exposing confidential information to unauthorized parties.
To mitigate this risk, lawyers can adopt security best practices for both paper and digital documents, such as shredding or securely deleting documents when no longer needed.
Outdated Software & Hardware
The ABA found that 42% of law firms with 100 or more employees still rely on outdated software. Vendors may not support legacy devices and software, meaning they no longer provide security patches to address vulnerabilities.
Continued use of these systems could compromise information security for law firms, creating an increased attack surface for unauthorized entry. To counter this risk, firms might consider regularly replacing and investing in new software and devices, such as self-healing printers, which automatically detect and recover from cyberattacks in real time, thereby mitigating the impact of a breach.
Download imageOne’s free 5-point printer security checklist.
Weak Passwords
IBM reports that stolen or compromised passwords are the most common initial attack vectors in data breaches. Implementing password-based or multi-factor authentication is a critical component of any firm’s security framework, essential for securing wireless printers and ensuring that only authorized users gain access to protected systems and devices.
However, this can be undermined when employees fail to practice proper password hygiene. This includes regularly updating passwords, using unique credentials across different systems, and setting strong passwords.
Improper Employee Training
Employees who are unaware of common cybercriminal tactics may fall victim to phishing and social engineering attacks. As a result, they might unknowingly reveal sensitive information or expose credentials that give attackers access to the firm’s digital assets. These clever tricks exploit employees’ lack of awareness of such threats, which must be mitigated through regular training and controlled tests.
Protect your print environment with Document Security Services from imageOne.
Top 6 Major Law Firm Data Breaches
2024 is on pace to be a record-breaking year for law firm cybersecurity incidents. In just the first half of the year, 21 law firms reported data breaches compared to 28 in all of 2023.
Looking at the commonalities between recent incidents, it’s evident that attackers are keen on accessing the treasure trove of client information law firms possess, often using ransomware to carry out the attacks.
Before delving into the specifics of each, here’s an overview of some real-life cybersecurity scares that have impacted six major law firms around the world in the past few years:
Law Firm Targeted | Date of Attack | Attack Type | Individuals Impacted | Type of Data Breached | Cost of the Attack |
---|---|---|---|---|---|
Bryan Cave Leighton Paisner | February 2023 | Unknown | 51,000 | Client’s employees’ names, home addresses, dates of birth, employee ID numbers, SSNs, retirement plan information | $750,000+ |
Houser LLP | May 2023 | Unknown | 325,000 | SSNs/TINs, driver’s license numbers, medical information, credit card numbers | Unknown |
Taft Stettinius & Hollister | October 2023 | Ransomware | 6,000 | Client names, home addresses, SSNs | Unknown |
American Bar Association | March 2023 | Unknown | 1.5 million | Login credentials | Unknown |
Burr & Forman | October 2023 | Unknown | 20,000 | Client names, SSNs, medical coding information, insurance data | Unknown |
Allen & Overy | November 2023 | Ransomware | Unknown | Unknown | Unknown |
Data Breach at Bryan Cave Leighton Paisner, USA
A February 2023 data breach at the law firm of Bryan Cave Leighton Paisner resulted in unauthorized access to the personal employee data of its client, Mondelēz International. The breach is reported to have impacted more than 51,000 current and former employees of the food and snack company.
The compromised data included employee names, home addresses, dates of birth, employee ID numbers, Social Security numbers, and retirement plan information. The method by which the law firm was hacked has not been publicly disclosed. However, as of October 2024, the firm had agreed to pay a settlement of $750,000 to the affected Mondelēz employees.
Data Breach at Houser LLP, USA
Houser LLP is an American law firm specializing in commercial and business litigation discovered in May 2023 that some of its files had been encrypted. The firm initiated an investigation with the assistance of a third-party organization.
The investigation revealed that certain files not only had been encrypted, but also copied and stolen from the network, compromising the personal data of more than 325,000 individuals. This breach included a wide range of sensitive personal information, such as clients’ Social Security numbers, driver’s license numbers, medical information, and financial account information.
The circumstances of how the breach occurred remain unknown. However, in June 2023, the attackers informed the firm that they had deleted all copies of the stolen data and assured they would not be distributed. Currently, Houser is facing a class-action lawsuit filed by an affected individual, Among other allegations, the lawsuit claims that the firm failed to notify potential victims until ten months after the breach.
Ransomware Attack on Taft Stettinius & Hollister, USA
Taft Stettinius & Hollister, the largest law firm to report a breach in the first half of 2024, currently ranks number 83 on the Am Law 100 list. The firm became aware of a ransomware attack in October 2023, which resulted in unauthorized access to client and personal data stored on certain secondary servers and workstations.
Reports on the incident indicate that the names, addresses, and Social Security numbers of almost 6,000 individuals were accessed during this attack. The exact cost or financial impact of the incident remains unknown.
Attack on American Bar Association, USA
The American Bar Association (ABA) is the largest voluntary bar association in the United States, representing more than 400,000 members. Although not a law firm, the ABA experienced a data breach in 2023 that impacted 1.5 million lawyers with accounts on its website.
The association first noticed unusual activity on its network in mid-March and launched an investigation. It was discovered that an unauthorized user had accessed and stolen login credentials for its old website and career center, which were used prior to 2018. The ABA noted that none of the stolen passwords were stored in plain English, reducing the likelihood of misuse.
Despite a proposed class action lawsuit brought against ABA by some of the affected lawyers, the case was ultimately dismissed. The financial impact of the breach remains unknown.
Attack on Burr & Forman, USA
Burr & Forman, an Am Law 200 firm, fell victim to a data breach in October 2023. The firm became aware of the incident after detecting anomalous activity on a network laptop. Further investigation revealed that an unauthorized user had accessed several documents and information within the firm’s system, some of which contained personal data.
The incident affected almost 20,000 individuals, notably impacting two of the firm’s healthcare clients, including Oceans Healthcare, which is subject to HIPAA. At this time, no repercussions or financial impact related to the incident are publicly known.
Ransomware Attack on Allen & Overy, UK
In November 2023, London-based law firm Allen & Overy fell victim to a ransomware attack that impacted several storage servers. LockBit, a cybercriminal group known for offering “Ransomware-as-a-Service,” took credit for the attack, threatening to release the breached data unless the firm paid a multimillion-dollar ransom by the end of the month.
The firm has declined to confirm whether it received a ransom demand or whether LockBit was responsible for the incident. However, the deadline passed without any release of data.
Sign Up for a Free Printer Security Consultation
Without a secure print strategy, law firms expose themselves and their clients to the risk of serious cyberattacks. Investing in cybersecurity helps law firms protect client data, avoid costly legal fines and penalties, and maintain a reputation as trusted legal advisors.
Whether you have questions about which print devices are the most secure or need help finding the best copier security solution for legal professionals, imageOne can help. Our managed print services benefit law firms across Michigan, Missouri, Ohio, and beyond.
With a custom approach tailored to your needs and backed by HP Wolf Security, we offer advanced protection for your documents, data, and devices to keep them safe from modern threats.
Contact us today to request your free printer security consultation.