Rashes of law firm cyberattacks have grabbed headlines around the world—and they’re set to multiply throughout 2025 and beyond. In fact, the FBI recently released a warning to law firms: a well-known hacking group has been targeting the legal industry with increasing focus and severity. 

Law firms of all sizes have been the target of an increasing number of cyberattacks resulting in data breaches. Consequences including fines, impacts to cyber risk insurance, reputational damage, and more. In a number of cases, class action lawsuits have begun to mount against affected law firms, creating financial and reputational strain in their aftermath.  

Why have so many law firms been targeted by bad actors? 

If you think like a hacker, it becomes fairly clear why law firms are such a desired target for cyber attacks. Several factors impact bad actors’ decision to zone in on law firms, including the following:  

• High concentration of valuable data: Law firms house a very high volume of sensitive client data (like identifying and financial information) that can be used, sold, or ransomed—and because it’s all held in one network, hackers only need to gain access to one firm’s records to uncover a wealth of information.  
  
  
• Less modern, less secure technology: Law firms tend to be slower to adopt new technology, as the legal industry can be risk averse and avoidant of change. Unfortunately, older technology incurs extra risk, including a lack of security patching and updates. Hackers have often been working to break into these older technologies for years, meaning they’ve mastered the methodology and can target those who are still using these technologies with ease. This makes the average law firm’s defense against hackers weaker and less difficult to push past, making it easier for bad actors to gain access.  
  
  
• High stakes ransoms: Because law firms hold information on behalf of their clients, they are often beholden to extra regulations, and consequences for a breach are far more severe than for other organizations. This can involve issues of confidentiality or third-party attestations, such as HIPAA.  Hackers may believe that a law firm would be more willing to pay a ransom due to the more severe ramifications that they will face versus another type of business with less regulations and requirements.  
  
  
• Financial gain: With less lines of defense to protect revenue, law firms make a simple target for crimes like account theft, financial redirection (spoofing your law firm’s contact information and directing clients to a fake payment portal, for example), and other forms of direct financial theft.  

A Free First Step for Your Law Firm

Sign up for a Free Security Vulnerability Scan. No obligation, no cost, all insights. 

Get A Free Scan

Recent Breaches and Lessons Law Firms Can Learn 

The cybersecurity climate is particularly hostile for today’s law firms, and we’ve seen numerous examples of targeted attacks come to light in recent news. Below, we’ll share some key takeaways from recent headlines and recap some of the stories behind them.  

#1:  A breach can happen to anyone—even the experts: Prepare regardless of your size or status.  

For many law firms, cybersecurity takes a backseat because they believe they will not be targeted for a breach. Unfortunately, most businesses also believe that they will not suffer a cyberattack—until, of course, it’s too late.  

Many law firms believe that they are too small to be breached, but this is simply not the case. In fact, according to StationX, “Data breach attempts are more successful against smaller organizations. In fact, 85% of firms with fewer than 1,000 employees say their systems have been successfully penetrated, compared to 60% of larger companies.” 

Despite the statistics—including that the average cost of a breach has soared to nearly $4.9 million--  many law firms still aren’t prioritizing cybersecurity. But, if even the experts can get breached, so can you.  

In early 2024, San Diego-based international law firm Orrick, Herrington & Sutcliffe fell victim to an attack that exposed the sensitive records of more than 637,000 people—many of whom were already victims of a previous breach.  

This is because Orrick specializes in aiding companies through the aftermath of a data breach, including satisfying regulatory requirements and penalties. According to TechCrunch, “Orrick said the hackers stole reams of data from its systems that pertain to security incidents at other companies, during which Orrick served as legal counsel.” 

After initial announcements, Orrick’s count of breach victims increased threefold, meaning hundreds of thousands of financial, identifying, and healthcare data points were stolen—resulting in the settlement of four class action lawsuits. 

It seems highly unlikely that a law firm with such a niche specialty in cybersecurity litigation would be hit by a cyberattack—but, this is a cautionary tale. Never assume that your law firm won’t be targeted, or that you’re probably prepared enough. Seek expert help in determining your security posture and always be on alert in today’s cybersecurity climate. If it can happen to a law firm who deals in cybersecurity day in and day out, it can happen to any firm.  

#2: The consequences reach farther than you think: Protect your firm and your clients. 

The damage done by a breach has wide-reaching effects—and these are not limited to the affected law firm itself.  

A breach can have devastating consequences for both individual and corporate clients of the law firm—and any affected party could attempt to join a class action lawsuit. Many such lawsuits have entered the arena in recent years, having been lodged against law firms and their corporate clients (like hospitals) who initially shared the affected data with the firm.  

South Carolina law firm Riley Pope & Laney recently suffered a data breach that allegedly exposed the data of over 7,000 class members unaffiliated with the law firm, who claim that they had not consented to their data being stored by the firm. According to a report, the firm serves “corporations and employers who oversee highly sensitive data, the complaint said, requiring them to manage and secure the PII of its clients' employees. However, these employees did not do any business with the law firm according to [the lead plaintiff].” 

Says Law.com, “The breach allegedly occurred due to inadequate training of IT and data security agents, the suit stated. The firm then allegedly waited six months to begin notifying affected individuals of the breach, which made victims vulnerable to identify theft without warnings to monitor their financial records or credit reports.” 

For law firms working with corporate clients, unique issues of liability further complicate the remediation and litigation process that so often follows a breach. When law firm Bryan Cave Leighton Paisner suffered a 2023 breach, ramifications rocked their client Mondelez, a snack food titan famous for its brands Nabisco, Oreo, Ritz, Halls, and many more household names.  

The subsequent lawsuit against Mondelez, waged by a class of 1,100 members made up of Mondelez employees, brings to light a crucial risk for law firms operating in the era of modern cyberattacks. Per a Law.com report:  

“The plaintiffs, a proposed class of 1,100 current and former Mondelez employees, argued that the company had not properly protected their sensitive data by ensuring that Bryan Cave had ‘reasonable cybersecurity procedures’ in place when intruders accessed its systems in February 2023, ‘including an area it used to store certain customer files.’” 

Though the suit was eventually settled for a sum of $750,000, this conclusion took months to reach—and could change the game for corporate law firm clients, who may be increasingly wary of giving their business to law firms without rigorous cybersecurity practices in place. Corporate clients will look to the firms they engage with through a new lens of scrutiny as these types of lawsuits multiply, and will want to ensure the firm can protect the many levels and layers of individual data stored in their systems.  

Law firms working with hospitals should also be especially wary of the changing landscape of  cybersecurity, risk, and liability. A rash of law firms have been attacked in the pursuit of sensitive healthcare data, which comes “highly prized on the black market. (Forbes)”  

In their report on a recent breach that exposed 300,000 patients’ data, Forbes states that the subsequent lawsuit from that incident “highlights a concerning trend: cyberattacks increasingly target not only healthcare providers but also their service partners, like law firms, which store extensive patient data. In fact, healthcare data breaches are among the most financially damaging, with the average cost per breach reaching nearly $9.8 million in 2024. This financial toll, coupled with the sector's reliance on digital records and frequently outdated IT infrastructure, intensifies the imperative for robust cybersecurity.” 
 

An Easy, Free Security Scan

Our Free Security Vulnerability Scan is an assessment that helps law firms identify the greatest areas of risk in their technology. Here’s what’s included:

• Internal & External Vulnerability Assessment Scan
• Identify Security Weaknesses: Comprehensive scanning of your systems, applications, and network infrastructure to detect vulnerabilities.
• Assess Impact and Severity: Provide insights into which vulnerabilities pose the highest risk to your operations, data, and compliance.
• Results Reporting to Your Firm:
  – Executive Summary Report
  – Full Detail Report
  – Assessment Report

Claim My Free Assessment

#3: Breaches bring backlash: Proactivity and response planning can help guard your reputation. 

Law firms have a unique responsibility to protect the massive volumes of client data that they hold. When a breach occurs, those clients-- along with the general public, the media, and the legal industry as a whole—place law firms and their technology decisions under intense scrutiny.  
 

Take, for example, the recent news out of the UK.  

The Legal Aid Agency (LAA) is an organization that “provides legal advice, family mediation, and representation to qualifying individuals, including victims of domestic violence, early and forced marriages, and various forms of discrimination. (CPO Magazine)” As such, the firm houses a large amount of sensitive data belonging to vulnerable populations.  

Millions of LAA’s client records were leaked in a data breach, which incurred scrutiny from the public, who pointed the finger at the UK’s Ministry of Justice (MoJ). Critics bore down on the MoJ’s alleged lack of cybersecurity safeguards, while a representative for the MoJ in turn highlighted the “fragility of IT systems” that Legal Aid Agency had been using at the time of the attack.  
 

It’s crucial for law firms to anticipate the increasingly hostile threat landscape surrounding their business and to plan ahead with practical, consistent, and sustainable cybersecurity measures. Law firms should prioritize cybersecurity as a measure to maintain a safe environment for their clients, team, and business.  

In addition to the expectation of incident prevention, there’s the expectation of incident response. To the public, how a company handles and responds to a potential breach is nearly equally as important as the steps they took to avoid the breach in the first place.  

A number of class action lawsuits filed against breached law firms cite a lack of timely response as a chief complaint. In one such case, the following was reported in Hartford Business Journal regarding Connecticut law firm Brown Paindiris & Scott LLP, who suffered a breach:  

“Also, the suit claims the firm waited 464 days after the breach occurred to notify people[.] ‘The defendant kept the class in the dark — thereby depriving the class of the opportunity to try and mitigate their injuries in a timely manner,’ the suit states.” 

Only about one-third of law firms have an Incident Response plan, or IR plan, which can make all the difference in maintaining their reputation through a breach. An IR plan is a roadmap for handling potential cyberattacks and incidents, and it allows your firm to take a clear path forward in what can otherwise be a confusing and frightening time. 

An IR plan allows firms to quickly navigate the investigation process and keep clients informed throughout the process, helping to mitigate the reputational risk that comes with a breach. Notably, you’ll know who to contact for help navigating the intense process of remediation, allowing your firm to respond swiftly and avoid a delay in notifying impacted parties.  

#4: Cleanup isn’t easy: Prepare for a smooth remediation.  

After an initial incident response, a breached law firm will need to take steps to remediate.  

There’s a difference between incident response and incident remediation. ESentire explains it well: “While incident response is the immediate reaction to mitigate the impact, incident remediation encompasses the subsequent steps to recover, learn from, and fortify against future incidents.” 

A strong incident response makes remediation easier in many ways, including cataloging the vital information that your law firm needs to properly notify the public, clients, and relevant authorities of the incident and progress made. When a law firm fails to have this information, remediation can get messy—and consequences can multiply. In one such case, a law firm suffered a huge breach, and contended with a severely delayed investigation—leaving them unable to determine exactly which individuals, out of nearly 3 and a half million, were affected. 

In December of 2023, a massive breach took place at well-known law firm Wolf Haldenstein, exposing 3.4 million records containing sensitive personal and/or medical information. This staggering attack led to “[a] comprehensive and time-consuming review of the affected parts of the network.” The review “confirmed that names, Social Security numbers, employee identification numbers, medical diagnoses, and medical claims information had been exposed and potentially stolen in the incident,” reports HIPAA Journal. 

Due to complications in the investigative process and subsequent data analysis, Wolf Haldenstein cannot pinpoint exactly who was affected by the attack, and sent out notifications roughly one year after the attack took place-- a notable delay. Some individuals whose addresses were not on file with the firm may not have received a notification at all. Though the firm claims that there’s no evidence yet of the misuse of this data, the exposure alone leaves this massive amount of sensitive data on the table for hackers to use and sell. The firm has offered to arrange identity monitoring services for those affected. 

In addition to the investigative and remediation process, the legal and regulatory consequences of a breach can further delay your law firm’s recovery and return to business as usual. Gunster, a business law firm from Florida, reached settlement two years after the breach occurred, agreeing to pay a sum of more than $8.5 million to resolve the class action lawsuit against them.  

Law firms can deal with the effects of a breach for months, or even years, after the actual incident is contained and resolved. This includes reputation damage, re-establishment of trust in the industry and with clientele, the loss of an average $100,000 for every hour of downtime, and the legal and regulatory fallout. For a law firm without an established plan and partnerships in place, recovery time can drag on even longer.  

Law Firm Cybersecurity: How to protect yourself, your clients, and the people in the crosshairs 

It can be extremely difficult for law firms to navigate the changing threat landscape. Many law firms accrue risk with issues like: 

• Outdated equipment including computers, phones, and software  

• Lack of in-house IT expertise and dedicated security roles  

• Lack of cybersecurity policy—or lack of compliance among employees 
  
  
• Lower awareness of complex security risks, threats, and attack vectors  

These and many other factors create a world of additional risk inside of your law firm’s technology architecture. One of the best ways a law firm can approach cybersecurity is with some help—from a high-quality, experienced partner.  

The right partner can assess these risk magnets within your IT systems and help you sustainably and cost-effectively mitigate the risk of a breach. A holistic approach targets each individual weakness and helps strengthen your law firm from top to bottom.  

A test of your firm’s cybersecurity posture: Reveal hidden weaknesses and learn to close open attack pathways  

Locate the weak spots in your technology and secure your law firm against attacks with this FREE scan. 

Law firms face a growing threat from cybercriminals looking to find, expose, and share sensitive information from their clients. Due to the high volume of private information held in their networks, an increasing number of firms have made headlines after devastating breaches. 

At STS, we believe security is the foundation of a thriving business. That’s why we’re offering a free assessment to help support and protect law firms from threats targeting their business and clients. 

Our Free Security Vulnerability Scan is an assessment that helps law firms identify the greatest areas of risk in their technology. Here’s what’s included: 

• Internal & External Vulnerability Assessment Scan 
• Identify Security Weaknesses: Comprehensive scanning of your systems, applications, and network infrastructure to detect vulnerabilities. 
• Assess Impact and Severity: Provide insights into which vulnerabilities pose the highest risk to your operations, data, and compliance. 
• Results Reporting to Your Firm: 
  – Executive Summary Report 
  – Full Detail Report 
  – Assessment Report
  

To claim your free assessment, click the button below. 

How a security-focused MSP reduces risk and keeps law firms safe  

Many law firms choose to engage with a Managed Service Provider (MSP), a technology partner that handles the firm’s IT strategy as well as day-to-day help, project planning and implementation, and more. But, not all MSPs are created equal—in fact, no MSP is required to stay in compliance with a larger regulatory standard or certification.  

At Strategic Technology Solutions, we proudly elect to earn our SOC 2 Type II compliance, a globally renowned cybersecurity designation awarded after a rigorous auditing process. We have remained in compliance with this global standard for 5+ years, ensuring that we remain at the forefront of cybersecurity understanding and reduce our risk as much as possible to in turn reduce the risk of our clients.  

We use this process as a means to continue our evolving defense against modern cyber crimes. This process reveals the timeliest best practices and security insights that we can use to educate and provide for our clients, helping reduce their risk from using a third-party vendor while mitigating their internal risk through best-in-class strategies,  

The STS team is prepared to stand by your law firm long-term, helping you stay ahead of evolving threats and protect yourself from the devastating consequences of a breach. Get in touch today to learn how we can keep your law firm safe and secure.