Cybercriminals are going after law firms’ sensitive client data

Regardless of their size, all law firms hold valuable data, including client communications, financial records, and confidential legal strategies. That data has never been more at risk. Cybercriminals are targeting law firms by exploiting vulnerabilities, weak passwords, outdated systems, and untrained staff.

Experts say law firms fall into three groups when it comes to cybersecurity.

The first group finds problems and fixes them. The second group notices problems but doesn’t act. The third group, which is most prone to cyberattacks, doesn’t even know it has vulnerabilities. Smaller firms often fall into this group. Without IT or security staff, their data and client information are easier targets.

Even bigger firms aren’t immune. If cybersecurity is just one part of a general IT role, threats can slip under the radar and go unnoticed. Firm administrators often see cybersecurity as IT’s main focus. IT teams, however, are more focused on using AI and other emerging technologies to support the firm’s future.

Clients expect their data to be protected, and many are willing to pay more for firms that demonstrate strong cybersecurity.

Law firms’ blind spots

The problems companies criminals exploit the most are:

Weak passwords and access controls: Shared accounts, simple passwords, and lack of 2FA make unauthorized access easier.

Outdated software and hardware: Unpatched systems and programs have known vulnerabilities that attackers can exploit. What many people don’t know is that printers are particularly vulnerable to compromise and are often overlooked as potential attack vectors.

Poor data storage practices: Sensitive client information stored on unsecured devices, shared folders, or in the cloud.

Insufficient cybersecurity awareness: Employees are often uninformed and unaware of potential threats, making them the weakest link in the chain and vulnerable to social engineering and phishing attacks.

Third-party vendors: Attackers exploit weaknesses in platforms or risky user habits to access data shared between law firms, clients, and courts, which can cause data breaches and violate attorney-client confidentiality.

Cyberattacks are on the rise

Attacks on law firms keep climbing. According to Proton, 20% of law firms experienced a cyberattack in the past year, and 39% of those incidents led to data loss or exposure.

In 2024, Orrick, Herrington & Sutcliffe paid $8 million to settle a class action lawsuit after a March 2023 data breach. Hackers accessed the names, addresses, birth dates, and Social Security numbers of over 600,000 people from the firm’s files.

The FBI warned U.S. law firms about the Silent Ransom Group, which has been active since 2022. The group breaks into networks, steals client data, and demands payment while threatening to leak or sell the information. Since March 2025, it has moved from callback phishing campaigns that impersonated companies like Duolingo to vishing, where attackers pose as IT staff to get employees to install remote access tools such as Zoho Assist or AnyDesk.

The UK’s Legal Aid Agency disclosed a data breach that exposed sensitive case information, showing that government-backed legal organizations face the same risks as private firms. The breach forced the agency to take digital services offline, stopping online applications, payments to legal aid providers, and case processing.

Law firms are also finding themselves in the crosshairs of cyberattacks linked to foreign governments. Nation-state actors see the sensitive client and corporate information law firms hold as strategically valuable, making them prime targets for espionage and data theft.

AI is changing the threat landscape

AI is proving to be a useful tool for law firms, supporting tasks such as document management, legal research, contract review, billing, scheduling, client communication, outcome prediction, compliance checks, risk management, and drafting standard documents. But besides transforming how firms operate, it’s also opened the door to criminal activities.

We are seeing a new wave of highly sophisticated attacks, especially phishing. Even experienced pros are getting caught, showing how advanced these attacks have become.

Deepfake videos and calls are part of this trend. A convincing deepfake video could trick clients, courts, or even lawyers if it’s used to fake evidence, testimony, or communications. These tools are widely available and relatively inexpensive, which makes the threat more serious.

According to ISACA, 71% of IT and cybersecurity professionals expect deepfakes to grow sharper and more widespread in the year ahead.

Mitigation strategies for law firms

Incident response planning: Document a plan covering detection, containment, communication, and recovery. Assign responsibilities across IT, legal, and operations teams. Test the plan with simulations and adjust it as new threats appear.

Employee cybersecurity training: Train staff on threats, such as phishing, BEC, and social engineering targeting client data. Include hands-on exercises and monitor performance to identify gaps.

Password and authentication management: Require strong, unique passwords and use enterprise password management tools. Apply MFA across key systems, including email, cloud storage, and practice management software.

Data backup and recovery: Automate backups for client-facing systems and sensitive repositories. Store copies in separate, encrypted locations. Validate recovery procedures under realistic conditions to ensure they function correctly.

Encryption of data at rest and in transit: Encrypt data both in storage and during transmission. Review encryption protocols periodically to confirm they meet current standards and avoid weak ciphers.

Patch management and system monitoring: Monitor vulnerabilities and apply patches to software, firmware, and network devices. Use centralized logging and SIEM tools to detect suspicious activity early.

Role-based access control (RBAC): Restrict access based on roles so users can only reach the systems and data required for their work. Audit accounts and track privileged accounts for unusual activity.