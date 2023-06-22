Aerial photograph of the Government Communications Headquarters

Remote working threatens law firms’ ability to securely hold their clients’ secrets, according to GCHQ’s cyber defence arm.

In a warning to the UK’s £36bn legal sector, the National Cyber Security Centre (NCSC) said on Thursday that nation states are now a major hacking threat to law firms.

It follows a spike in attacks from Russia, with online criminals from Vladimir Putin’s country engaging in a renewed wave of data thefts and leaks to the dark web.

Remote and hybrid working both “create challenges for maintaining secure working practices” that increase the risks to law firms in particular, according to a new NCSC report.

Chief executive Lindy Cameron said: “The UK legal sector carries out essential work to uphold our society; however, we know the sensitive data legal firms handle can make them attractive targets to online attackers.”

British Airways, Boots and a host of other large UK companies were hacked by a Russian-speaking cyber gang calling themselves Clop, the Russian word for a type of blood-sucking bedbug, earlier this month.

BA wrote to all of its 34,000-strong workforce warning them that their details had been accessed by cyber criminals, while other UK companies including insurer Aon have confirmed that their files were accessed by the attackers.

Law Society president Lubna Shuja said on Thursday: “It is vitally important that solicitors and law firms, whether large or small, are aware of the cyber threats they face and take steps to safeguard their systems.”

Figures from PwC suggest that, on average, London law firms spend just 0.5pc of their fee income on cyber security.

British law firms and barristers’ chambers have been targeted by online criminal gangs in the past. One London barristers’ chambers, 4 New Square, faced derision after obtaining a non-disclosure injunction against “person or persons unknown” who were “blackmailing” the chambers in 2021 following a ransomware attack.

Criminal defence firm Tuckers Solicitors had almost 25,000 case bundles – collections of legal documents for court cases – encrypted in a separate ransomware attack in the same year.

After the fine, Tuckers said it had “implemented a broad range of measures” to prevent a similar breach happening again.

Sixty of the bundles were later published on the dark web, with the Information Commissioner’s Office fining the firm £98,000 for failing to properly secure its files.

Three years ago Russian hackers targeted a Hollywood law firm used by A-list celebrities including Madonna, Rod Stewart and Lady Gaga. Grubman Shire Meiselas & Sacks said at the time it was working with cyber security experts to contain the breach.

The REvil criminal gang later leaked some stolen data on the dark web, a move experts say is normally associated with a victim refusing to pay a ransom.

Gang members have since been hit with financial sanctions and criminal charges by the US government.

