Up to 60% of all data breaches at UK law firms were caused by human error from staff, according to new research by NetDocuments. The study, based on data released by the Information Commissioner’s Office (ICO) between the third quarter of 2022 and the second quarter of 2023, reveals that only 40% of data breaches originated from malicious actors. Additionally, it is estimated that data belonging to 4.2 million people could have been compromised as a result of these incidents.
Most data breaches in the UK legal sector in the period analysed appear to have been caused by staff carelessness, with 37% of incidents caused by employees sharing sensitive data with the wrong person. 39%, meanwhile, arose from other errors like hardware misconfiguration, or failure to use the BCC function in emails to hide the addresses of email recipients. Most of the data compromised as a result of these actions seems to have been basic personal information (49%), with the rest being an even distribution of financial data, health data and official documents.
“Above all, it seems that human interaction is at the heart of these statistics,” says Jake Moore, global cybersecurity advisor at ESET. “With the amount of extremely sensitive data held and managed in law firms, it is imperative that these companies are on top of their staff awareness training.”
Cyberattacks on law firms increasing
Despite the predominance of human error as a cause of data breaches in the UK legal sector last year, the threat from malicious actors to law firms remains potent. According to the ICO data, 27% of breaches were triggered by phishing and ransomware attacks. Another 12% of data, meanwhile, was lost as a result of the theft of a specific device or leaving data in an insecure location.
Recent months have seen the UK law firms repeatedly warned to beef up their cybersecurity after several prominent cyberattacks. Last week, both the Law Society and the National Cyber Security Centre urged the sector to strengthen internal safeguards after an attack on IT services provider CTS temporarily derailed conveyancing operations at 80 separate solicitors’ firms. This followed a string of similar attacks throughout 2023, including against “magic circle” firm Allen & Overy in November.
“Our technical response team, working alongside an independent cybersecurity adviser, took immediate action to isolate and contain the incident,” said the firm at the time. “We appreciate that this is an important matter for our clients, and we take this very seriously. Keeping our clients’ data safe, secure, and confidential is an absolute priority.”