The UK’s largest conveyancing and property services business lost £7.3m after a cyberattack crippled its systems for weeks. In a rare insight into the cost of a breach, the affected company, Simplify, says it was able to claim most of the money back through insurance, but is still counting the cost of the lost business relating to the incident.

Simplify lost £7.3m after a cyberattack in 2021. (Photo by Natee Meepian/Shutterstock)

Based in Leicester, Simplify Group operates six conveyancing brands: Premier Property Lawyers, APL, DC Law, JS Law, Cook Taylor Woodhouse and GB Law. It handled 135,000 completions in the year to the end of March 2022.

How Simplify lost millions in a cyberattack

The attack took place in November 2021, and Simplify shut down its systems as a precaution following the breach. This meant thousands of customers buying or selling property were left stranded for up to four weeks and unable to complete transactions.

An investigation subsequently revealed that the personal information of some current and past employees was exposed in the attack, though it is not thought any customer data was stolen. A class action lawsuit was launched against the company by lawyers working on behalf of disgruntled clients.

The company’s newly released annual report shows that the incident cost the company £7.3m, with some of the cash spent on “engaging a leading cyber-response team”. It is not known if a ransom was demanded or paid for stolen data.

Though the report shows it was able to eventually recoup £6.8m via insurance, the attack led the company to enter “into conversations with its providers of capital to ensure that the long-term funding and capital structure of the group could be preserved and protected”. Subsequently, shareholders injected an additional £15m into the business.

Indirect costs of the breach were also significant, with the company unable to take on as much new business as normal. “The resultant restoration of systems required the level of new cases taken in to be significantly reduced for a period of approximately ten weeks, which has dampened the results for the financial year, which otherwise would have been on track to deliver a record number of completions,” the report says.

At the time of the attack, Simplify sought the advice of the Council for Licenced Conveyancers, as well as data regulator the Information Commissioner’s Office (ICO), to try to mitigate the harmful effects of the exposed customer data. 

The report says it “fully complied with all relevant obligations required by the ICO to ensure that any data or information loss resulting from the attack was appropriately handled.”

Law firms targeted by cybercriminals

Attacks on the legal sector are on the rise. A recent report on cybercrime released by the Solicitors Regulation Authority states that 75% of businesses polled had been the target of a cyberattack.

The report went on to explain that in 23 of the 30 cases, the law firm lost more than £4m of client money. On average, £3.6m was claimed against insurance policies and a further £400,000 had to be repaid by the companies to the clients. 

The loss of data often led to other indirect costs to the victim company. One firm lost around £150,000 worth of billable hours following an attack that seriously impacted its systems. 

The problem has reached such a level that some law firms are setting up cyber “war games” to practice dealing with an attack and mitigating its consequences.

Lawyer James North, head of technology, media and telecoms at Corrs Chambers Westgarth in Australia regularly stages this type of exercise, and told the FT: “There have been a lot of really significant attacks recently.”

He added: “Preparedness is patchy across the economy. A table-top exercise might last two or three hours with a situation designed to represent two to three weeks in the aftermath of an attack.”

Read more: Pension fund data may have been accessed during Capita cyberattack