Gateley criticised for not protecting client data


Cyber attack: Gateley lost small proportion of data

A law firm specialising in data breach litigation has criticised Gateley for not keeping client data safe in the wake of the cyber-attack it suffered earlier this week.

Gateley, the first law firm to list in the UK, told investors on Wednesday that it was confident the attack was confined to just 0.2% of its data, but that this included client data.

It said those clients would be notified when the firm’s investigations “are further progressed”.

Jon Else, a partner at Cheshire law firm Hayes Connor, which specialises in data breach cases, said: “It’s a positive step that Gateley was able to identify the attack shortly after it happened but it still did not prevent the loss of client data.

“Consumers and businesses trust law firms with their data and Gateley should have ensured this.

“They should immediately contact their clients to confirm which steps they have put in place to ensure data isn’t accessed. Clients will want to know how the firm can ensure it doesn’t happen again and what they intend to do for those affected.”

Andy Barratt, UK managing director at cybersecurity consultancy Coalfire, said: “While this incident only relates to a small proportion of the data held by the firm, and appears to have been mopped up relatively quickly, both the SRA and Information Commissioner’s Office will express concerns given the sensitive nature of Gateley’s work.

“Data breaches can result in fines of up to 10% of a firm’s global earnings, which in Gateley’s case could be upward of £10m – something that will no doubt cause concern given its status as a PLC.

“More immediately worrying though, is the potential for case data to have been accessed given the unscrupulous nature of hacking groups, who won’t necessarily show evidence of where they’ve hidden it.

“With scenarios like the Panama Papers in the past leaking vast amounts of attorney-client information, it’s imperative that large law firms have robust security and privacy controls in place and a zero-trust security model that assumes compromise.”

Earlier this year, an analysis by US security firm AdvIntel showed how some ‘threat actors’ gained access to a firm and then sold that access on the dark web, while others went further and stole data to market it for sale.

“Depending on the legal documents offered, threat actors could use the information for such activities as fraud, espionage, and blackmail, all severe risks for an individual or firm that are directly rooted in the compromise of their legal services provider,” it said.

“The case of a ransomware attack against a law firm illustrates how these dangers come to a head. In the spring of 2020, a ransomware group launched an attack on the firm, likely by using a remote desktop protocol vulnerability to upload their malware.

“The gang stole a large amount of confidential client information and threatened to release it unless a large ransom was paid. Later, the group began auctioning off the data of individual clients.”

AdvIntel also highlighted the use of ‘botnet infections’ and compromised remote desktop protocol credentials to attack law firms.




    Readers Comments

  • Anon says:

    Let’s just hope Hayes Connors’ data security is tip-top and they never have a security breach #pridebeforeafall

  • Anon 2 says:

    Some Firm that says ‘they seek to get maximum compensation’ makes banal comments about Gateley ought to protect data. It is unlikely any serious law firm doesn’t invest in IT security and only uses major software products. Possibly Gateley tried – but if people are hacking Apple’s new models, the NI Health System, the main US gas pipeline – perhaps we all need more government cyber agency support to disrupt and hunt out such people. And No I don’t work or even know anyone at Gateley.


Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


Keeping the conversation going beyond Pride Month

As I reflect on all the celebrations of Pride Month 2024, I ask myself why there remains hesitancy amongst LGBTQ+ staff members about when it comes to being open about their identity in the workplace.


Third-party managed accounts: Your key questions answered

The Solicitors Regulation Authority has given strong indications that it is headed towards greater restrictions on law firms when it comes to handling client money.


Understanding vicarious trauma in the legal workplace

Vicarious trauma can happen to anyone who works with clients who have experienced trauma such as domestic or other violence, child abuse, sexual assault, torture or being a refugee.


Loading animation