Law firms are custodians of some of the most sensitive information in commercial life. That role has made them a prime target for cybercriminals, and the threat is intensifying rapidly.
Recent incidents involving leading international firms have served as a stark reminder: cyber risk cannot be treated as a peripheral IT issue, but a central business and regulatory concern. For UK law firms in particular, the convergence of technological change, regulatory scrutiny and organised cybercrime has created a complex threat environment.
A Shift in the Nature of Attacks
Historically, cyber incidents in professional services were associated with ransomware. Systems would be locked, files encrypted, and payment demanded for restoration. That model persists, but recent developments point to a more concerning evolution: data extortion.
In May 2026, US firm Weil, Gotshal & Manges was reportedly targeted by the cyber extortion group known as Luna Moth. Hackers are understood to have obtained confidential client documents and threatened to publish them unless a significant payment was made. The sum demanded was reportedly in the region of $18–20 million.
Crucially, this attack did not rely on disabling systems but exploiting the reputational sensitivity of the information itself. For law firms, this represents a fundamental risk with the weaponisation of client confidentiality by threat actors meaning that the threat of disclosure can be as damaging as the breach itself.
The same group has been linked to a separate incident reportedly affecting Jones Day earlier in 2026, where hackers are said to have accessed files relating to a number of client matters through a phishing attack. These incidents are not isolated but demonstrate a clear and deliberate pattern of targeting the reputation, confidentiality and trust on which law firms are built.
Why Law Firms Are Being Targeted
Law firms sit at the centre of high-value, high-sensitivity information flows. They are trusted partners to their clients, holding confidential details relating to mergers and acquisitions, litigation strategies, intellectual property, and private client matters. This makes them uniquely attractive to cybercriminals.
According to law enforcement warnings in the United States, groups such as Silent Ransom Group have been targeting law firms precisely because of the highly sensitive nature of the data they hold. The National Cyber Security Centre (NCSC) has echoed these concerns in its threat report on the UK legal sector, identifying law firms as high-value targets for both state-sponsored actors and organised criminal groups.
The tactics employed have also become increasingly brazen. In June 2026, investigators linked to a CNN report described incidents where cybercriminals allegedly hired individuals to gain physical access to law firm premises in the US, posing as IT staff in order to install malicious devices or extract data directly. Aligning both cyber and physical elements of an attack illustrates an ever-increasing risk.
The UK Perspective: Regulation and Consequence
While many of the most high-profile incidents have occurred in the United States, the NCSC reported that nearly three quarters of the UK’s top 100 law firms have been impacted by cyber-attacks. UK law firms can, and should, be learning lessons from these attacks.
The Information Commissioner’s Office (ICO) has made clear that failures in cybersecurity will attract enforcement action. In April 2025, a UK law firm was fined £60,000 after a cyber attack resulted in sensitive client information being exposed on the dark web. The ICO found that inadequate security measures, including the absence of multi-factor authentication, had left the firm vulnerable. Compounding the regulatory breach, the firm also failed to report the incident within the required timeframe, a failure that underscored the importance not only of prevention but of preparedness.
For practitioners, the message is clear: cybersecurity is not simply best practice. Failures carry financial penalties, reputational damage, regulatory scrutiny and potential professional consequences.
The increasing threat has not been lost on the profession's representative bodies. In May, the Law Society published dedicated guidance for solicitors on cybersecurity preparedness, setting out practical steps firms should take to safeguard client data and mitigate cyber risk. The NCSC has similarly published sector-specific guidance for the legal profession. Together, these publications reinforce a clear message that cybersecurity must be treated as a core professional responsibility, and firms that fail to engage with it do so at their own risk.
The Role of Artificial Intelligence
Layered onto this already challenging landscape is the rapid advancement of artificial intelligence.
AI has lowered the barrier to entry for cybercrime dramatically. Attacks that once required significant technical expertise can now be executed at scale, with speed and precision that would have been unimaginable only a few years ago. Phishing emails, long the most common attack vector, have become highly convincing and are now frequently indistinguishable from legitimate communications. The Law Society of Scotland notes that AI is effectively "turbo-charging" cyber attacks, enabling threat actors to craft targeted, context-aware approaches that exploit the specific language and conventions of legal practice.
The statistics underline the scale of the problem. According to the Law Society Gazette, attacks on UK law firms increased by 77% in a single year, while the NCSC's Annual Review 2025 recorded a 130% jump in cyber incidents across all sectors, identifying artificial intelligence as a key driver for the increase.
The implications are significant. Payment diversion fraud, credential harvesting, and email compromise are all becoming harder to detect. In some cases, deepfake technology has already been used to impersonate senior executives convincingly enough to authorise substantial financial transfers. For firms handling client funds or time-sensitive transactions, the risk is particularly acute, and the margin for error is small.
From Awareness to Action
The cumulative effect of these developments is a clear shift in expectations. Clients are increasingly asking not just whether their advisers are technically competent, but whether they are secure custodians of sensitive information. Regulatory bodies are asking the same question, and the consequences of an unsatisfactory answer are growing more severe. Law firms must therefore move beyond reactive cybersecurity measures and adopt a more strategic, embedded approach.
At a minimum, this should include:
- Implementing robust access controls, including multi-factor authentication across all systems
- Regularly testing systems through penetration testing and attack scenario exercises
- Training staff to recognise increasingly sophisticated phishing and social engineering attacks
- Ensuring clear incident response plans are in place and understood at all levels
- Engaging with specialist cybersecurity advisers where appropriate
Conclusion
The recent wave of cyber incidents affecting law firms is a reflection of a shift in the threat landscape, and which shows no sign of abating. The firms that will navigate this environment successfully are those that treat cybersecurity not as a cost centre or a compliance exercise, but as a fundamental component of client service and professional integrity.
The challenge is twofold: to keep pace with threats that are evolving at unprecedented speed, while meeting regulatory expectations that are tightening in parallel. Those that rise to that challenge will not only protect their clients but differentiate themselves in an increasingly security-conscious market.
Those that do not should be under no illusion that the consequences of inaction, whether measured in regulatory penalties, client attrition, or lasting reputational harm, will far exceed the cost of preparation.