Law Firm Data Breaches: Client Exposure

When a law firm is breached, the data exposed is not the firm’s. It is the client’s. The firm holds it under privilege, but privilege protects compelled disclosure in litigation. It does not protect data from a threat actor who has already exfiltrated it. By the time the firm calls a forensic vendor, the matter file is already on a leak site, or already negotiated quietly back, or already being read by whoever bought a copy from the broker that brokered it.

For principals and their corporate counterparts, outside counsel is a high-value vendor whose breach posture they almost never audit. Three structural features make law-firm breaches a category worth treating distinctly from breaches of other vendors.

First, the notification cycle is privilege-shielded in a way that other vendors’ cycles are not. A breached managed service provider has commercial incentive to disclose quickly, capped damages on the customer side, and regulators who treat operational opacity as evidence of failure. A breached law firm runs the same notification through counsel, often itself. The forensic record is privileged. The litigation hold is privileged. The internal post-mortem is privileged. What reaches the client is whatever the firm chooses to put outside the privilege envelope, on a timeline the firm controls.

Second, the data density is anomalous. A single matter file at a transactional firm aggregates identity documents, financial statements, transaction structures, draft pleadings, settlement positions, witness statements, and email threads with multiple parties whose direct relationship to the client is not visible elsewhere. A single litigation file aggregates similar density across an opposing party, their counsel, and any third-party deponents. Banking has comparable density on one client; the law firm has it on every client in active matters and every former client in retained archives.

Third, the client-disclosure obligation is asymmetric. Most US state breach-notification laws trigger on the controller of the data, which is the firm as much as the client. The firm decides whether the threshold was met. The firm decides whether the client receives an individualised notice or a summary. Under GDPR, Article 33 requires controller notification to the supervisory authority within 72 hours, but the firm and the client are usually co-controllers or in a controller-processor relationship whose contours are spelled out in the engagement letter, not the statute. The client learns what the firm tells them, when the firm tells them.

The five named incidents below, the 30-day ransomware cohort that follows, and the gap between leak-site activity and published-dataset visibility, together describe a sector exposure that the client side rarely sees in real time.

The 2021-2026 incident shelf

The named incidents below are the ones with confirmed primary-source filings or contemporaneous court records. The list is not exhaustive of law-firm breaches in the period. It is exhaustive of incidents where a verifiable record exists in a state attorney general portal, a regulator filing, or a settlement order.

Orrick, Herrington & Sutcliffe (2023)

Orrick is a large US law firm with a substantial cybersecurity practice. An external threat actor accessed its systems between 28 February and 13 March 2023, with longer dwell on parts of the network confirmed by forensic investigation. The initial notification to Maine in July 2023 covered approximately 153,000 individuals. A second filing in late 2023 expanded the total to 638,023 individuals across multiple states, with notifications reported to state attorneys general in Maine and California and a HIPAA breach reported to the US Department of Health and Human Services. The compromised data included Social Security numbers, driver’s licence numbers, passport numbers, financial account information, payment card numbers, medical treatment and diagnosis information, health insurance ID numbers, and account credentials.

The clients whose data was exposed were largely organisations Orrick was advising on breach response itself. Four class actions consolidated into a single proceeding in the Northern District of California, which granted final approval to an $8 million settlement in 2024. The settlement offered up to five hours of compensated time at $25 per hour, up to $2,500 in ordinary expense reimbursement, up to $7,500 for documented identity-theft damages, and three years of three-bureau credit monitoring with $1 million in identity-theft insurance.

The Orrick chain is a useful baseline. Long undetected dwell. Initial notification number revised upward over months. Multi-jurisdiction filings. Privilege-relevant data exposed. A class-action consolidation that resolved before discovery would have produced a public forensic timeline. The settlement is on the record. The forensic detail is not.

HWL Ebsworth (Australia, 2023)

HWL Ebsworth is one of the largest commercial firms in Australia and a panel firm for the federal government and several state governments. On 28 April 2023, the ALPHV/BlackCat ransomware operation posted on its leak site claiming exfiltration of approximately 4 terabytes of HWLE data. Over a three-week period in June 2023, ALPHV published roughly 1.45 terabytes of the material, including documents implicating Big-4 bank clients and federal agency files. The firm did not pay.

HWLE obtained an interim injunction from the Supreme Court of New South Wales in June 2023, restraining further publication or use of the stolen material. The injunction was made final in February 2024. The Office of the Australian Information Commissioner opened an investigation into the firm’s handling of personal information held prior to the breach; the OAIC is the federal regulator with notifiable-data-breach jurisdiction. McGrathNicol conducted the forensic engagement.

HWLE matters for three reasons. The leak-site cycle ran in public, which is rare for law-firm breaches; the dataset volume was unusually large; and the regulator stepped in on cyber-hygiene grounds rather than waiting for the firm’s own post-mortem. The Australian regulatory posture treated the firm as accountable for the data it held, not as a privileged custodian whose breach analysis would be deferred to the firm itself.

Campbell Conroy & O’Neil (US, 2021)

Campbell Conroy & O’Neil is a US litigation defence firm whose Fortune 500 and Global 500 client list, on its public site, includes Ford, Honda, General Motors, Mercedes-Benz, Boeing, British Airways, and US Airways. On 27 February 2021 the firm detected unusual activity that an investigation confirmed as a ransomware intrusion. Files on the network were rendered inaccessible. The firm engaged forensic counsel, informed the FBI, and proceeded to notification.

The data set exposed included names, dates of birth, driver’s licence and state-ID numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and online account credentials. The firm offered 24 months of credit monitoring, fraud consultation, and identity-theft restoration to individuals whose Social Security numbers or equivalents were exposed.

The exposure pattern here is the litigation pattern. A defence firm holds discovery materials, deposition transcripts, internal-investigation memos, and product-liability records on its clients’ adversaries. A breach of that file set exposes data the firm’s clients have spent years keeping out of the public domain. It is not the firm’s own data that matters; it is the cumulative archive of defended matters.

Gunster, Yoakley & Stewart (Florida, 2022)

Gunster is a Florida-based corporate firm. The intrusion was detected on 27 November 2022. Individual notification did not begin until 6 April 2023, a gap of just over four months. The notification covered approximately 10,000 individuals. The data exposed included Social Security numbers, dates of birth, driver’s licence numbers, passport numbers and other government-issued identification numbers, financial account information, and certain medical information. The Massachusetts attorney general assigned the filing breach number 30188.

A consolidated class action filed in 2023 settled in 2024 for $8.5 million, despite the affected population being roughly one-sixtieth of Orrick’s. The settlement multiple per affected individual is the signal. Class settlements in law-firm cases price the sensitivity of the data, not the headcount.

Bryan Cave Leighton Paisner / Mondelēz (2023)

This incident is the cleanest demonstration of the client-side exposure thesis. BCLP detected suspicious activity on its systems on 27 February 2023. Forensic investigation determined that an outside threat actor had accessed data between 23 February and 1 March, including data the firm held in connection with its work for Mondelēz International, the food and beverage company. BCLP notified Mondelēz on 24 March 2023, 25 days after detection. The data exposed covered more than 51,000 current and former Mondelēz employees and included Social Security numbers, addresses, dates of birth, employee identification numbers, and retirement plan information.

The class action did not name the law firm as a party of last resort. It named the firm and the client jointly. The settlement, $750,000, was a joint settlement, with both BCLP and Mondelēz contributing. This is the resolution shape most cleanly aligned with the structural thesis: the client of the law firm became the defendant in the suit brought by the client’s own employees, whose data the firm was holding under engagement.

Ward Hadaway (UK, 2022)

Ward Hadaway, a regional UK firm, detected an intrusion on 9 March 2022 attributed to the Lorenz ransomware operation. The actor demanded $3 million within a week, doubling to $6 million thereafter. The firm obtained an interim injunction in the High Court restraining publication of stolen material. Documents were uploaded to a leak site after the injunction was issued, including medical reports and Court of Protection files of the kind handled by trusts, estates, and family-law practitioners. The injunction did not prevent the leak. It only restrained named UK parties who could be served.

The 27-day window: leak-site posts below the press threshold

The named incidents above are the visible layer. Underneath them sits a much larger volume of law-firm intrusions that never reach press coverage, never produce a published-dataset record, and almost never trigger client-facing notification on a recognisable cadence. The mechanism that makes them visible at all is the leak-site post: the ransomware operator’s claim, posted to a dedicated extortion site on the dark web, that data has been exfiltrated and will be released if the firm does not pay.

Between 16 April and 12 May 2026, leak-site aggregators (ransomlook.io and breachsense.com) recorded posts naming the following law firms as victims, grouped by ransomware operation:

Inc Ransom: lopezlawfl.com (10 May), krwlawyers.com (22 April), treelawoffice.com (17 April)
Akira: Clarkson Walsh & Coulter (11 May), Elia Law Firm (7 May), Law Offices of James C Shields (7 May)
Qilin: Law Office of Steven R Smith (4 May), Rizzuto Law Firm (4 May)
DragonForce: The Galliher Law Firm (22 April), Primius Law Firm (22 April)
LeakBazaar: EJones Law (12 May, 905 GB claimed)
Bravox: Rivadeneyra Treviño (12 May)
Genesis: Prescott & Holden (9 May)
Worldleaks: Peyton Law Firm (1 May)
Aurora: Law Offices of Michael A. Freedman (29 April)
Clop: INJURYLAWYERS.COM (28 April)
Krybit: imbriefamilylaw.com (20 April)
Payload: Al Sulaiti Law Firm (20 April)
Safepay: bbalawgroup.com (16 April)

Nineteen named law-firm victims in twenty-seven days, posted by fourteen distinct ransomware operations. None of the firms is on the Am Law 200. The cohort skews to small and mid-sized practices: personal injury, family law, employment and medical-malpractice defence, regional commercial, one Mexican corporate firm (Rivadeneyra Treviño), and one Gulf-jurisdiction firm (Al Sulaiti). The actor distribution matters as much as the victim list. This is not a single group running a campaign against the sector. It is the sector being attritioned by an ecosystem.

Two of the entries warrant specific note. The Akira post on Clarkson Walsh & Coulter (US, South Carolina) catalogued the claimed dataset in detail: client identity records including passports and driver’s licences, contracts and agreements, "legal confidential documents" including court records and police reports, employee information, and financials. That taxonomy is a near-perfect inventory of the categories enumerated in What gets exposed when a law firm is breached below; it is what a defence-side litigation file holds. The LeakBazaar post on EJones Law (US, Georgia) claimed 905 GB, the largest single-firm volume in the cohort and an order of magnitude beyond what a small-practice file system would normally hold absent long retention.

Three methodological caveats apply. The aggregators above index two ransomware-leak-site ecosystems; other trackers index different operators, and the real cadence is higher than the cohort above. Some ransomware operations do not maintain public leak sites at all, which means firms that pay quickly or that are extorted under tighter NDAs never appear on any tracker. And by the time a firm appears on a leak site, the negotiation has usually already failed; firms that pay early are not posted.

The cohort exists in plain view. None of the nineteen firms has issued public statements that match the dates of their leak-site appearance. None has filed state-attorney-general notifications that align with the dates. For the client side of these firms, the exposure cycle is invisible.

The databreach-silence asymmetry

The same window can be checked against a different layer of the data-exposure stack. Sites that index published datasets, where the exfiltrated material is searchable and verifiable, are a different ecosystem from leak-site trackers. Leak-site trackers record extortion posts. Published-dataset indices record actual breach corpora, the kind that journalists, researchers, and identity-monitoring vendors query for confirmation.

Across the same 16 April to 10 May 2026 window, the published-dataset stream shows almost zero law-firm victims. The exception is LexisNexis, which is a legal-data vendor rather than a firm, and Avvo, which is a lawyer directory rather than a firm. The fifteen ransomlook-posted firms do not have corresponding entries in the published-dataset stream.

The gap is the finding. Law-firm leak-site posts rarely escalate to verifiable published datasets. The data is exfiltrated and the firm is named, but the corpus itself does not enter the public addressable archive. Three mechanisms are consistent with that pattern: the firm pays and the post is de-listed; the firm negotiates a partial release that stays within the operator’s private channel; or the operator holds the data for direct sale rather than mass publication, which keeps the corpus off scraping indices.

Whichever mechanism dominates, the implication for the client side is the same. The publicly visible breach surface dramatically understates the law-firm victim count. And in jurisdictions where client-facing notification obligations only trigger on confirmed public exposure of identifiable data, an exfiltration that resolves through quiet negotiation can pass without ever reaching the client. The notification gap is not a regulatory loophole. It is a procedural consequence of where the law draws the trigger.

This empirically supports the privilege-shielded notification thesis from the opening. Other vendors get audited on their public exposure surface. Law firms, structurally, do not have one.

What gets exposed when a law firm is breached

The data categories below are recurring across the verified incidents and the leak-site cohort. They are the categories that make law-firm files distinct from other vendor breaches.

Privileged communications. Email threads, internal memos, draft pleadings, opposition research, deal-team coordination, and joint-defence material whose disclosure would be resisted in litigation. Once exfiltrated, the privilege itself is structurally unrecoverable, regardless of any later court order.

Settlement amounts and transaction structures. Pre-litigation settlement positions, mediation submissions, draft term sheets, deal economics not yet disclosed in public filings, escrow arrangements, and earn-out structures. These are commercially sensitive in the strict sense: their publication moves markets, restructures negotiations in progress, and prejudices the client’s position in active matters.

Witness statements and deposition material. Including statements from witnesses who consented to the deposition but not to the publication; investigatory interviews whose subjects have legal protections that do not extend to data held by external counsel.

Identity and KYC documents from intake files. Passport and driver’s licence scans, signed beneficial-ownership declarations, source-of-funds documentation, and PEP screening output. The intake file at a transactional firm is often the cleanest identity record on the principal anywhere in the supply chain.

Underlying matter files for completed engagements. Estate plans, prenuptial agreements, separation agreements, criminal defence files, immigration filings, fertility-clinic documentation handled through specialist counsel, gender-identity-related filings, and other matter categories whose retention by the firm extends years past the closure of active billing.

The retention dimension is the dimension principals tend to underestimate. The breach population is not the active client base. It is every client whose matter file remains on the firm’s systems under any retention rule, including former clients whose engagements closed a decade earlier.

Why law firms are persistent targets

The ABA 2024 Cybersecurity TechReport, which surveys US legal practitioners on security posture, reports that 36 per cent of responding firms experienced a security incident in the prior year, up from 29 per cent in the 2023 report. Of the firms that experienced a breach, 56 per cent reported the loss of sensitive client information. Only 34 per cent of surveyed firms reported having an incident response plan in place, down from 42 per cent in earlier reporting. The reported average cost of a data breach in the legal sector reached $5.08 million in the 2024 reporting window, a roughly 10 per cent year-over-year increase.

The 34 per cent incident-response-plan figure is the load-bearing number. It is not the volume of attacks against law firms that is anomalous; the volume tracks the broader pattern of small and mid-sized organisations across all sectors. What is anomalous is the response capacity. A defended Fortune 500 enterprise will detect, contain, and notify on a much faster timeline than the firms representing it.

The Mandiant M-Trends 2025 report, which aggregates frontline incident-response data, places "business and professional services" (the bucket that contains law firms) at 11.1 per cent of intrusions investigated, second only to financial services at 17.4 per cent. The M-Trends 2026 report records global median dwell time at 14 days in 2025, up from 11 days in 2024 and 10 in 2023. The headline finding is more striking still: the median time between initial access and lateral handoff to a follow-on actor is now 22 seconds, down from more than eight hours in 2022. That is not the figure that matters to a law firm specifically; it matters because the modern ransomware affiliate market has industrialised the handoff. A firm’s window to detect first-stage compromise has collapsed to where most legal-sector defences cannot meaningfully respond.

Three structural attractions for the actor side persist. Data density, as established. Lighter detection capacity than financial-services and tech-sector clients of the same firms. And the privilege-shielded notification window, which strengthens the operator’s negotiating position; the firm has reasons beyond commercial reputation to negotiate quietly, because public disclosure cascades into client notifications, malpractice exposure, bar-conduct review, and matter-specific privilege challenges.

If your organisation uses outside counsel on matters that hold identity records, transaction structures, or matter files of long retention, the firm’s breach posture is part of your exposure surface, whether you have audited it or not.

Talk to an Analyst

Law firms as a third-party exposure surface

Most corporate third-party-risk programmes treat outside counsel as an out-of-scope vendor. The procurement gate that catches SaaS providers, managed-service providers, and back-office processors typically does not engage on legal panels. Legal panels are selected by the general counsel’s office, not by procurement; selection criteria centre on matter expertise, conflict clearance, and rate; security questionnaires are perfunctory if they are sent at all.

The structural argument for moving law firms inside the third-party-risk perimeter is the same argument that applies to any vendor holding identity records, transaction data, or commercially sensitive material. The argument is not that law firms are uniquely insecure. It is that they are uniquely concentrated. A single firm at the head of a corporate panel may hold matter data for every M&A transaction, every regulatory investigation, every employment dispute, every commercial litigation, every executive separation, and every board-level investigation the client has run in the prior decade. The blast radius of a single law-firm breach is the cumulative blast radius of all those engagements.

This is the third-party-cyber-risk framing we map under Third-Party Cyber Risk Assessment: the supplier’s exposure becomes the client’s exposure at the moment of compromise, and the engagement letter rarely allocates that exposure cleanly. The supply-chain attack literature, including the work we summarised in Digital Exposure as a NIS2 Risk Vector, treats this as the operative pattern. Law firms are the case where the pattern is densest and least audited.

What principals can ask their counsel

The questions below are not a security questionnaire. They are the discovery questions a principal can put to the firm at engagement, at panel review, or at the close of a matter. None of them require the firm to disclose privileged information about its own incidents.

Breach-notification timing in the engagement letter. What is the firm’s contractual commitment on notifying the client of a security incident affecting the client’s data? Is it tied to the firm’s own determination of "reasonable belief," or to a calendar trigger (24 hours, 72 hours)? What is the escalation path if the firm’s general counsel and the firm’s outside breach counsel are the same person?

Matter-file segregation. Are the client’s matter files segregated from the firm’s general document management system, or do they sit in a shared tenancy with every other client’s files? Is the segregation logical (access controls) or physical (separate infrastructure)? What is the firm’s policy on which matters are held in cloud-based eDiscovery platforms versus on-premise?

Cyber-insurance evidence. Will the firm provide a certificate of insurance naming the client as an additional interested party, with carrier name, policy limits, retention, and ransomware sub-limits visible? Cyber-policy carve-outs for ransomware payments became common after 2022; the client should know whether a payment, if needed, would even be covered.

Sub-counsel and vendor disclosure. Which third parties receive copies of the client’s matter file in the ordinary course? eDiscovery vendors, document review platforms, translation services, expert witnesses, jury consultants, and printers. Each is a separate breach surface; the engagement letter typically does not name them.

Retention and destruction after matter close. What is the firm’s retention default for closed matters? How is destruction confirmed, and to whom is the confirmation issued? Does the firm honour a client’s instruction to return or destroy at close, or does the firm’s own conflict-clearance and malpractice-defence policy require longer retention regardless?

Prior incident history. Has the firm experienced a security incident in the prior thirty-six months that resulted in notification to any client, regulator, or affected individual? The firm is not asked to disclose the substance of those incidents. It is asked to confirm the occurrence and the rough scope, the way any vendor would be asked.

None of these questions is hostile. All of them are the questions that would be standard for any other vendor holding equivalent data. That they are unusual to ask of outside counsel is a measure of how distant the legal-panel review is from the rest of corporate third-party risk.

The client-side conclusion

Law-firm breaches are a structurally distinct exposure category. The notification cycle runs through privilege, which the client does not control. The data density per matter file is higher than at most other vendor categories. The publicly visible breach surface is unrepresentative of the actual victim count, because leak-site posts rarely escalate to published datasets, and the gap is a procedural feature of how the sector negotiates.

The named incidents above resolved in court because the firms either did not pay, did not negotiate quickly, or were posted by operators that maintain public leak sites as a matter of policy. For every Orrick, HWL Ebsworth, Campbell Conroy, Gunster, BCLP, and Ward Hadaway with a verifiable record, there are firms whose 2023, 2024, 2025, and 2026 incidents resolved quietly and never reached client notification. The leak-site cohort visible in any given thirty-day window is a sampling artefact, not the population.

For principals, the practical position is simple. The firm is a vendor. Its breach posture sits inside the client’s exposure surface, whether the procurement function maps it that way or not. The questions above are reasonable to ask. The answers belong in the engagement file.

If this kind of exposure affects your organisation, a Corporate Audit maps the full surface.

Sources

Orrick, Herrington & Sutcliffe, 2023

HWL Ebsworth, 2023

Campbell Conroy & O’Neil, 2021

Gunster, Yoakley & Stewart, 2022

Bryan Cave Leighton Paisner / Mondelēz, 2023

Ward Hadaway, 2022

Sector-level statistics

Leak-site and published-dataset stream

Law Firm Data Breaches: What They Expose About the Client Side