British law firms warned to upgrade cyberdefenses against ransomware attacks

Law firms in Britain were warned on Thursday to upgrade their cyberdefenses in the wake of a number of ransomware attacks that led to sensitive and potentially legally privileged information being stolen by criminals and published online.

In a threat report for the British legal sector, the National Cyber Security Centre (NCSC) warned that financially motivated extortion incidents as well as intellectual property theft by state-sponsored hackers were having significant impacts on the sector.

Among the case studies highlighted in the report was a ransomware attack on Tuckers Solicitors in 2020. “The attacker … managed to exfiltrate data relating to 60 court cases, some of which were live, and published them on the dark web,” the agency reported.

Tuckers Solicitors was fined £98,000 by the Information Commissioner’s Office (ICO) for “negligent security practices” after it was deemed likely the criminals had penetrated the firm’s network through a publicly known system vulnerability in software that hadn’t had the patch applied for five months.

The ICO particularly criticized the firm for its lack of multifactor authentication and the failure to encrypt stored personal data and legal bundles, as well as for running Windows 7 past its support date, all of which were deemed to be a breach of Tuckers’ legal obligations to protect personal data.

Similar incidents have also taken place in the United States. Earlier this year, New York's attorney general issued a $200,000 fine for a law firm representing hospitals whose sensitive files were accessed in a 2021 ransomware attack. A data breach at a law firm earlier this year exposed personal information of more than 50,000 employees of snack food company Mondelez.

NCSC’s warning also specifically highlighted a report in the Guardian newspaper about “the Pegasus software sold by Israeli-firm, NSO group” which warned that lawyers reprinting human rights cases had been targeted by the commercial spyware.

“The UK legal sector carries out essential work to uphold our society; however, we know the sensitive data legal firms handle can make them attractive targets to online attackers,” warned the NCSC’s chief executive Lindy Cameron.

The agency’s report stressed that NCSC itself provides “a range of guidance and tools that organizations can access to improve their cyber security resilience, including the NCSC’s Active Cyber Defence (ACD) programme or the Cyber Essentials programme to secure a baseline of cyber security protections.”