Law firm cyberattacks: Stats and trends for 2025

To say that law firm cyberattacks are common these days is a massive understatement. In the past few years, the legal industry has been significantly impacted by cyberattacks, with more and more law firms being affected each year.

Cyberattacks are a pressing issue in just about every industry, but due to the amount of sensitive information that law firms process, the legal industry is at an especially high risk. So, how many law firms are affected by cyberattacks each year? And what financial impact does this have on the industry as a whole? 

In this article, we’ll break down some of the most pressing cyberattack statistics and trends for the legal industry to help you understand the impact data breaches and malware have on law firms.

The importance of cybersecurity for law firms

In today’s digital landscape, cybersecurity is an important part of every business. Because if the door is left open, cybercriminals will let themselves in.

Law firms are particularly susceptible to cybercrime due to the gold mine of confidential information that lawyers store. With details on trade secrets, medical records, intellectual property, and all kinds of information and secrets that individuals would rather not have exposed, a hacker is drawn to a lawyer’s hard drive like a moth to a flame.

Cyberattacks have become more frequent for law firms, according to a 2024 survey, up to 40% of law firms have experienced a security breach. A strong cybersecurity policy and incident response plan can prevent costly breaches and reduce the impact of attacks. 

Law firms that ignore cybersecurity face an increased level of risk. After all, lawyers have regulatory and ethical obligations to protect their clients’ information. 

Beyond the obvious financial and reputational risks, legal professionals also face regulatory risks when it comes to cybercrime. Under the ABA Rule 1.6 Confidentiality of Information, attorneys must make reasonable efforts to detect breaches and avoid client data loss. Failing to do so can result in an ethical violation under the ABA’s Formal Opinion 483 and land a firm in court facing a costly lawsuit for failing to protect client data.

11 legal industry cyberattack statistics for 2025

1. The average cost of a data breach for law firms in 2024 was $5.08 million, a more than 10% increase from the previous year. (Clio)
2. Good cybersecurity practices are becoming a strong selling point for law firms. In 2025, more than a third of legal clients (37%) were willing to pay a premium for law firms with stronger cybersecurity measures. (Integris)
3. According to a recent survey, 56% of law firms that experienced a data breach in the last year lost sensitive client information. (Arctic Wolf)
4. In 2023, 80% of law firms had at least one technology insurance policy in place, but only 34% had an incident response plan. (ABA)
5. With phishing attempts being some of the most common types of cyberattacks against law firms, spam filters are a popular cybersecurity measure for firms. In fact, in 2023, 80% of law firms used spam filters as their primary cybersecurity tool. (Tech Advisors)
6. 2023 was a record-breaking year for ransomware attacks on law firms, with more than 45 attacks compromising over 1.5 million records. (Cyber Security Tribe)
7. In 2024, 42% of data breaches were identified internally by the affected organization. Meanwhile, 34% were discovered by third parties, and 24% were disclosed by the attackers themselves. This was an improvement from 2023, when only about one in three breaches were detected internally. (IBM)
8. Under the American Bar Association’s Model Rule 1.6(c), lawyers are required to make reasonable efforts to prevent unauthorized access to or disclosure of client information. (ABA)
9. Less than half (43%) of law firms conduct online backups of data. (ABA)
10. The average cost of a data breach for small law firms and sole practitioners is much less than that of larger firms at $36,000. (Tech Advisors)
11. The most common types of cyberattacks targeting law firms are phishing, ransomware, DDoS, and insider threats. 

Emerging cyberattack trends in the legal industry 2025 

If a law firm’s expertise isn’t in the cyber realm, why should they care about understanding cybersecurity happenings? Because, as the ABA states, “you can’t fix it if you don’t know it’s broken.” 

Here’s a look at some current and emerging cybersecurity trends impacting the legal sector.

1. Artificial intelligence 

Whether or not your firm uses generative artificial intelligence (AI), you’ve undoubtedly heard about the opportunities AI offers law firms. AI tools can be used to rapidly review documents, improve research and document quality control, detect potential risks earlier, and streamline time-consuming administrative tasks. 

However, AI’s impact on cybersecurity tools is one of the most significant trends in the legal industry (and all industries for that matter). AI risk management tools allow law firms to proactively address cyber risks and reduce the potential damages.

According to Clio’s 2024 Legal Trends Report, the percentage of legal professionals using AI in their daily work increased from 19% in 2023 to 79% in 2024.  

But there’s a double-edged sword with AI. Not only is AI bringing opportunities for law firms, but it’s also helping cybercriminals up their game by creating realistic content for elaborate attacks. 

2. Deepfakes

Deepfakes are a specific type of AI that has become especially prevalent and troublesome in the legal industry in recent years.

Deepfakes are created with AI to produce manipulated images, videos, or audio recordings of real individuals doing or saying something that is unreal. 

The number of deepfake videos has surged by 550% between 2019 and 2023, reaching a total of 95,820 videos.

A prime example of the damage that deepfakes can cause involves a Hong Kong finance worker who joined a video call where every other participant, including the company’s CFO, was a deepfake. The employee was tricked into wiring $25 million to cybercriminals.

For legal professionals, deepfakes can pose serious risks, such as impersonated client communications and financial fraud during sensitive transactions.

Learning how to spot deepfakes as well as using a unique code word to verify clients in communications can help combat this cyber threat. 

3. Cybersecurity knowledge gap

Employees can be a law firm’s greatest defense against and greatest risk for cyberattacks. That’s why a growing trend in cybersecurity is an emphasis on training staff.

According to the ABA’s 2023 Legal Technology Survey Report, 37.8% of solo practitioners and 48.2% of firms with two to nine attorneys reported having technology training programs. While this is certainly an improvement from previous years, it displays a significant gap in cybersecurity training in the legal industry.

Cybersecurity awareness training is crucial to the success of any law firm and should be conducted at least once a year (or more if the time and budget allow). 

4. Increase in ransomware attacks

Unfortunately, the ransomware attack surge is far from over. In 2024, there was an 11% increase in ransomware attacks compared to the previous year, totaling 5,414 published incidents. This surge is largely thanks to the expansion of ransomware-as-a-service (RaaS) operations, which lowers the barrier to entry for cybercriminals by providing ready-made ransomware tools.

It’s estimated that ransomware will cost targets more than $275 billion annually by 2031. As a result, ransomware attack prevention and recovery plans should be part of every law firm’s cyber defense toolkit.

Notable examples of law firm cyberattacks

Let’s take a look at some of the biggest and most high-profile cyberattacks affecting law firms in the last few years.

2024 Orrick Herrington & Sutcliffe data breach

In 2024, Orrick, Herrington & Sutcliffe agreed to pay $8 million to settle class action claims stemming from a March 2023 data breach when cybercriminals accessed the names, addresses, dates of birth, and Social Security numbers of more than 600,000 people from files stored by the law firm. The hackers also accessed data on media treatments, diagnoses, and insurance claims details. In the class action lawsuits that followed the cyberattack, Orrick was accused of failing to inform affected parties about the breach until months after the incident. 

As proof that any firm can be the target of a cyberattack, it’s worth noting that one of Orrick’s areas of expertise is providing legal counsel to companies that have experienced a cyber incident, including how to notify authorities and the affected individuals.

2023 HWL Ebsworth ransomware attack

In April 2023, Australian law firm HWL Ebsworth suffered a significant data breach when the Russian-linked ransomware group ALPHV/Blackcat infiltrated its systems. The hackers claimed to have accessed and exfiltrated approximately 3.6 terabytes of data, encompassing around 2.37 million files. This breach included sensitive information from over 60 government departments and agencies, including the Australian Federal Police and the Department of Defence. The compromised data was subsequently leaked on the dark web.

2024 Gunster Yoakley & Stewart data breach

In November 2024, Florida-based business law firm Gunster Yoakley & Stewart agreed to pay $8.5 million to settle a class action lawsuit stemming from a 2022 data breach. The breach allegedly exposed the personal and health information of nearly 10,000 individuals, including clients and employees. This major settlement is just one example of the severe consequences that cybersecurity challenges can have on law firms.

Cybersecurity best practices for law firms

That’s a lot of cyber doom and gloom we’ve covered. And we don’t blame you if you’re feeling overwhelmed about what’s to come with cyber risks. While there is no surefire way to eliminate the risk of a cyber incident (if only!), the good news is that there are many measures your firm can take to protect against attacks. Here are some of our recommended best practices for preventing a cyberattack.

• Encryption: Encrypt anything and everything. Encryption is a cost-effective way for law firms to safeguard data from threat actors.
• Enhance password security: Unique and strong passwords that are changed regularly are the first line of defense against law firm cyberattacks. Our top tip? Make sure the passwords aren’t stored anywhere digitally or physically that others can access. For example, avoid using Post-It notes or storing your password on your computer’s local storage.
• Use multifactor authentication: Multifactor authentication (MFA) is an excellent line of defense against cyber threats. Even if your password is compromised by a criminal, they won’t be able to access your law firm’s data since the MFA will ask for a secondary authentication.
• Regularly review permissions: Not everyone at your firm needs access to all files. Instead, determine the minimum level of access each employee needs. Permissions should be reviewed and re-evaluated regularly.
• Avoid data transfers: Keeping sensitive data on personal devices significantly increases cyberattack vulnerability. Avoid transferring data between business and personal devices.
• Create an incident response plan: A cyber incident response plan outlines how your firm will handle all stages of an attack, from detection and containment to remediation and recovery.
• Get insured: Having the right insurance coverage is vital for combating law firm cyberattacks. Not having cyber liability insurance could put your firm’s longevity at risk due to the financial burden that comes in the wake of any cyber incident. At Embroker, we have tailored insurance solutions that can offer protection minutes after applying.

In the modern digital landscape, every firm faces the risk of cyber threats. That’s why it’s crucial to make cybersecurity a priority by staying informed about cyber stats and trends in the legal industry. Being proactive with cybersecurity will help safeguard your firm’s future. 

Need help protecting your law firm from cyber risks? At Embroker, we offer cyber insurance designed specifically for legal professionals. Get coverage in minutes and ensure your firm is prepared for whatever comes next.