LawSnap
Privacy Artificial Intelligence

Cyberattacks On Law Firms Are Rising. Here’s What’s Driving It.

Published
Source abovethelaw.com open_in_new
Score
10

Why it matters

Cyberattacks on law firms are surging, driven primarily by ransomware campaigns that encrypt and steal sensitive client data, with incidents nearly doubling year-over-year in some categories per a recent FindLaw report highlighted by Above the Law.[3] Core developments include evolved ransomware tactics like double/triple extortion—exfiltrating data before encryption, threatening leaks, and pressuring clients—which have led to average ransom demands exceeding $4 million and total breach costs averaging $5.08 million per incident.[3][4][5] High-profile examples encompass HWL Ebsworth (3.6TB exposed, 2023), Shook Lin & Bok ($1.89M ransom paid, 2024), and 45 ransomware attacks compromising 1.5 million records in 2024 alone.[1][5]

Involved parties include law firms as primary targets (e.g., 20-25% of U.S. firms hit annually per ABA and Law.com surveys), cybercriminals exploiting phishing (main entry point), unpatched systems, third-party vendors (implicated in 25% of breaches), and insiders, plus clients like public companies demanding rapid disclosure under SEC rules.[1][3][5][7] Reports from FindLaw, Baker & Hostetler (noting 2025 increases), ABA, and frameworks like NIST CSF 2.0 guide responses; a January 2026 JPMorgan incident via an external law firm underscored vendor risks.[2][3][6][13]

This trend stems from law firms' vast repositories of valuable data (contracts, litigation files, privileged communications) amid digital shifts like cloud reliance, hybrid work, and AI-enhanced attacks making phishing more convincing.[1][3][7][9] Timeline shows escalation: 25% U.S. firm attacks in 2021-2023 rising to 1,055 weekly industry-wide (up 13% since 2024), with 11% ransomware YoY growth.[1][5] Newsworthy now due to 2026 forecasts of sophisticated threats, regulatory pressures (e.g., NIST adoption, state AG enforcement), AI dual-use risks (attack tool and shadow liability), and recent disclosures like JPMorgan amplifying client trust erosion.[2][3][4][6]

Sources

[1] https://www.cyberproof.com/blog/why-law-firms-are-prime-targets-for-cyber-attacks-and-how-to-stay-secure/
[2] https://www.dataprise.com/resources/blog/law-firm-cyber-risk-2026-guide/
[3] https://abovethelaw.com/2026/04/cyberattacks-on-law-firms-are-rising-heres-whats-driving-it/
[4] https://www.esedsl.com/en/blog/cybersecurity-trends-for-the-legal-sector-2026
[5] https://programs.com/resources/law-firm-cyberattack-statistics/
[6] https://www.lawmatics.com/blog/legal-industry-trends-2026
[7] https://www.pwc.co.uk/industries/legal-professional-business-support-services/law-firms-survey/risk-and-resilience.html
[8] https://www.uslegalsupport.com/blog/data-privacy-in-litigation-support-2026/
[9] https://arcticwolf.com/resources/blog/top-legal-industry-cyber-attacks/
[10] https://www.cobbtechnologies.com/blog/it-strategy-every-law-firm-needs-in-2026
[11] https://www.esedsl.com/en/blog/major-cyberattacks-on-companies-in-the-legal-sector
[12] https://www.morganlewis.com/pubs/2026/03/cybersecurity-privacy-2026-enforcement-regulatory-trends
[13] https://www.abajournal.com/news/article/law-firms-see-more-cyberattacks-ransomware-threats-report-says
[14] https://www.freshfields.com/globalassets/our-thinking/campaigns/data-trends/2026-data-law-trends/2026-data-law-trends.pdf
[15] https://www.cyberdefensemagazine.com/cyberattacks-on-law-firms-are-on-the-rise-heres-what-firms-need-to-know/
mail

Get notified about new Privacy developments

Primary sources. No fluff. Straight to your inbox.

Related

View all Privacy

See more entries tagged Privacy.

Also on LawSnap

Court Rules

Legal Intelligence

Specialized Trackers

Analysis