Skip to main content

Law Firm Data Breach Statistics [Updated 2025]

22 April 2024
focused man using a computer

Law firms stand as custodians of some of society's most sensitive information, entrusted with safeguarding client confidentiality, proprietary data, and legal strategies. However, as the reliance on digital technologies grows, so does the threat landscape surrounding these institutions. 

Cyber attacks targeting, and data breaches within law firms, have become an increasingly prevalent and concerning issue, casting a shadow over the profession's integrity and raising critical questions about cybersecurity preparedness. 

Weaknesses in data security are often the result of poor, inappropriate, obsolete or untested systems, controls or training in relation to GDPR awareness or cybersecurity measures. 

At PDA Legal, we provide specialist cybersecurity audits, consultancy and training for the legal sector coupled with a range of GDPR services to support legal firms in protecting themselves and client's data from data breaches. It’s an unfortunate reality that we frequently identify or encounter gaps in security processes or controls which firms are unaware of (and even shocked by, once the vulnerability is brought to their attention).

Whilst most legal practices would agree data security and integrity are important when asked, when it comes to action, many still regard data security as somewhat of an after-thought or simply “...an IT issue…”; one where the simple installation anti-virus and/or firewall software assume that is all that is required to keep data safe.

So is that sufficient? What exactly is the degree of risk in the ‘real world’? When time-sensitive, revenue-generating work is mounting up, is there a sufficient business need to review security measures? 

In this article, we provide you with some of the most recent statistics relating to data breaches within the legal sector.

Recent Statistics - UK Law Firm Data Breaches

  • Total SRA Fines Issued: The SRA issued 44 fines totalling £556,832 in 2023/24 for AML non-compliance. (SRA.Org
  • Increased Enforcement Action: In 2023/2024, the SRA submitted 23 suspicious activity reports, performed 237 proactive inspections and 258 desk-based reviews, and brought enforcement action against 78 firms and individuals. (SRA.Org)
  • Fines for DKLM and Hattens: In 2023, London law firm DKLM and Essex firm Hattens were each fined over £12,000 for AML failures, including inadequate risk assessments and AML controls. (Legal Futures)
  • Ashfords LLP Penalty: In November 2023, national firm Ashfords LLP received a fine exceeding £100,000 for AML compliance breaches related to three conveyancing transactions, which were flagged as “matters of concern”. (JGLaw)
  • Fairbrother & Darlow Fine: In February 2024, Bracknell-based Fairbrother & Darlow was fined £16,052.80 for AML non-compliance, including lacking a firm-wide risk assessment (FWRA) and policies, control, and procedures (PCPs). (JGLaw)
  • SDT Referrals: In 2023/24, the SRA referred four cases to the Solicitors Disciplinary Tribunal for serious AML breaches. (SRA.Org)
  • Persistent Non-Compliance: Despite increased enforcement, only 22% of law firms inspected in 2023/24 were fully compliant with AML requirements, indicating ongoing challenges in the sector. (Today’s Conveyancer)
  • Leonard Solicitors Fine: Siamak Goudarzi of Southampton firm Leonard Solicitors was fined £18,750 for various AML breaches, including inadequate due diligence on client funds and failing to maintain compliant risk assessments. (Today’s Family Lawyer)
  • Victims of Cyber Incidents: A 2022 report by Cert-UK announced that 65% of UK law firms have been a victim of a cyber incident. (The Law Society)
  • Lack of Cyber Mitigation Planning: 35% of firms still do not have a cyber mitigation plan in place. (The Law Society)
  • Lack of Cyber Insurance: The Law Society of England and Wales shows that seven in 10 (72%) of firms have not purchased cyber insurance. (The Law Society)
  • Third-Party Security Assessments: Whilst larger firms are more likely to engage third parties for a security assessment, the numbers are still low - 40% for firms of 50-99 lawyers and 53% for firms of 100-499 lawyers. (AAG IT)
  • Rising Concerns for Law Firms: Cyber threats are now a concern for 78% of the top 100 law firms in the UK. (AAG IT)
  • Increasing Cyber Breaches: The number of reported cyber breaches at UK law firms jumped by 36% in 2022/23 as hackers increasingly target the profession. (Legal Futures)
  • Losses From Cyber Attacks: Over £4 million of client money was stolen from just 23 UK law firms who reported suffering a cyber attack. (AAG IT)
  • Cyber-Attack Wipes 8% in an Hour: In 2021, a city law firm reported that they had lost client data as a result of a cyber-attack. It was reported that the market reacted swiftly, wiping off almost 8% share value within an hour of the statement. (UK National Cyber Security Centre)
  • Rising Scam Alerts: The SRA published 278 scam alerts in response to reports from the public and professionals between January 2022 and January 2023. These scam alerts highlight reports of people falsely claiming to be solicitors and firms, for example on websites or in emails and telephone calls. (UK National Cyber Security Centre)
  • 3 in 4 Firms Affected By Cyber Attacks: In 2020, nearly three-quarters of the UK’s top 100 law firms have been affected by cyber attacks, and for smaller firms that have little or no dedicated cyber security and IT support, the risk of incidents like ransomware attacks is on the increase. (UK National Cyber Security Centre)
  • Cybercrime Often Starts With Email: Over 80% of all the cybercrime reports we received in 2021 involved email. (SRA.Org)
  • Negligence Is Costly: The ICO can fine up to 4% of a company’s total annual worldwide turnover in the last financial year or £17.5 million, or whichever is higher, for negligent treatment of client data. (ICO.Org)

The Key Statistics - UK Businesses in General

Ultimately, law firms sit as a subset of other business types, so we have included some general UK cyber-security statistics to help compare the above with businesses in a wider context:

  • Digital Fraud: 53% of all UK fraud is online, equating to 1.9 million offences. (The Law Society)
  • Phishing Is the Biggest Danger: In 2024, 84% of UK businesses that experienced cyber security breaches encountered phishing attempts. (Twenty Four IT)
  • UK-Wide Victims of Cybercrime: 32% of UK businesses reported suffering a cyber attack in 2022-23. (AAG IT)
  • Threat of Employee Negligence: Nearly 75% of breaches occur due to employee actions – whether accidental (such as opening links from phishing emails) or deliberate (such as giving login information to hackers in return for money). (AAG IT)

We Are Here to Help you to Protect Your Firm From Data Breaches

At PDA Legal, we are committed to supporting your firm with supportive audits, consultancy and training to help maintain your team’s awareness in support of best practices and compliance with regulations regarding data protection. Our services are provided by industry experts, so please get in touch to book a FREE initial consultation today.

Latest Articles

More Articles
Get in touch for a free no obligation quote today
Contact Us
Law Society Lexcel Assessor. Legal Practice Quality Mark.
Cyber Essentials logo
Information Commissioner's Office logo
ISO logo
Legal Aid Agency logo
Solicitors Regulation Authority