Allen & Overy held to ransom: Law firms & cyber security threats
Erin Bradbury – 4 December 2023
In this technological world, law firms – like those in any other industry - are becoming increasingly susceptible to the risk of cyber-attacks. Together solicitors, barristers and legal providers bring in an estimated £43.9 billion in revenue. So perhaps unsurprisingly, as treasure trove of confidential information, nearly ¾ of the top 100 UK law firms have been impacted in some way, from DLA Piper to Gateley, Kirkland & Ellis and most recently Allen & Overy. Chambers (such as 4 New Square) have also been subject, with it impacting 6 per cent of the sets instructing solicitors. Even the American and New York City Bar Association was recently targeted, exposing login information for 1.5 million attorneys’ and 27,000 members. Reliance on IT systems for essential functions, and storage of commercially sensitive information makes firms of all sizes, including individual practitioners, vulnerable to forces that seek to steal or misuse confidential information.
Following its agreed merger with Shearman & Sterling to form “the first fully integrated global elite law firm” (with a whopping $3.4 billion combined revenue) Allen & Overy hit the headlines in recent weeks for being the victim of a cyber ransom attack. Later accredited to LockBit, a cybercrime group, the organization said the stolen data “impacting a smaller number of storage servers” would be published on the 29th of November. An A&O spokesperson said that “detailed cyber forensic work continues to investigate and remediate the incident. As a matter of priority, we are assessing what data has been impacted, and we are informing affected clients.” Well, the deadline passed, and thankfully no stolen data was published.
Allen & Overy has stated that, “we appreciate that this is an important matter for our clients, and we take this very seriously. Keeping our client’s data safe, secure, and confidential is an absolute priority.”
This was not the only attack to hit the headlines last month. Most recently CTS, an IT provider, was targeted, impacting conveyancing practices and resulting in 80 firms being unable to complete transactions. To make matters worse, typically upon the agreed completion day the purchaser’s solicitor arranges for money to be transferred to the seller’s solicitor, and failure to do so is a breach of contract. The property law regulator has intervened saying that lawyers on the other side must be alerted as, “openness is vital for limiting as far as possible disruption and consumer harm.”
Unfortunately, cyber-attacks take many forms from get rich quick ransomware to disruptive hacking, both with very real consequences for law firms and their clients. As to the matter of paying a ransom, it is not illegal to do so. But this year the government has warned, “making or facilitating a ransomware payment risks exposing those involved to civil or criminal penalties where such individuals or entities subject to financial sanctions, known as designated persons […] relating to financial sanction breaches.”