View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 11, 2024

Over half of data breaches at UK law firms caused by staff, says new research

New research into data released by the Information Commissioner’s Office reveals that up to 4.2 million people could have been impacted by law firm data breaches last year.

By Greg Noone

Up to 60% of all data breaches at UK law firms were caused by human error from staff, according to new research by NetDocuments. The study, based on data released by the Information Commissioner’s Office (ICO) between the third quarter of 2022 and the second quarter of 2023, reveals that only 40% of data breaches originated from malicious actors. Additionally, it is estimated that data belonging to 4.2 million people could have been compromised as a result of these incidents.

The scales of justice and a judge's gavel, used to illustrate a story about data breaches among UK law firms.
Analysis of ICO statistics on data breaches in the UK legal sector has revealed that most incidents were caused by human error. Nevertheless, the threat of cyberattacks against the sector remains potent. (Photo by Stock Studio 4477/Shutterstock)

Most data breaches in the UK legal sector in the period analysed appear to have been caused by staff carelessness, with 37% of incidents caused by employees sharing sensitive data with the wrong person. 39%, meanwhile, arose from other errors like hardware misconfiguration, or failure to use the BCC function in emails to hide the addresses of email recipients. Most of the data compromised as a result of these actions seems to have been basic personal information (49%), with the rest being an even distribution of financial data, health data and official documents. 

“Above all, it seems that human interaction is at the heart of these statistics,” says Jake Moore, global cybersecurity advisor at ESET. “With the amount of extremely sensitive data held and managed in law firms, it is imperative that these companies are on top of their staff awareness training.”

Cyberattacks on law firms increasing

Despite the predominance of human error as a cause of data breaches in the UK legal sector last year, the threat from malicious actors to law firms remains potent. According to the ICO data, 27% of breaches were triggered by phishing and ransomware attacks. Another 12% of data, meanwhile, was lost as a result of the theft of a specific device or leaving data in an insecure location.

Recent months have seen the UK law firms repeatedly warned to beef up their cybersecurity after several prominent cyberattacks. Last week, both the Law Society and the National Cyber Security Centre urged the sector to strengthen internal safeguards after an attack on IT services provider CTS temporarily derailed conveyancing operations at 80 separate solicitors’ firms. This followed a string of similar attacks throughout 2023, including against “magic circle” firm Allen & Overy in November. 

“Our technical response team, working alongside an independent cybersecurity adviser, took immediate action to isolate and contain the incident,” said the firm at the time. “We appreciate that this is an important matter for our clients, and we take this very seriously. Keeping our clients’ data safe, secure, and confidential is an absolute priority.” 

Read more: UK trio among 12 new LockBit ransomware victims?

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.