Law firms are being vigorously attacked by hackers. This is unsurprising given that law firms are repositories of incredibly valuable and commercially sensitive information about their clients and maintain large sums of money in their trust accounts.

Lawyers should be paying particular attention to a white paper published yesterday from RepKnight. The cybersecurity company searched the Dark Web and found over a million leaked and hacked credentials from top law firms in the United Kingdom. These firms may now be vulnerable to the theft of highly sensitive information as well as other cyberattacks—chances are good some of them have already been compromised.

RepKnight searched for 500 different UK law firms on the Dark Web, including ‘magic circle’ firms and global firms with UK offices. They found compromised credentials from every single one of those firms, more than half of which had been posted within the last six months.

When hackers obtain passwords as well as email addresses, they can use bots to launch ‘credential stuffing’ attacks where the same login information is attempted on multiple sites. Because of how common it is to repeat the same password over different sites, this can result in breaches across multiple networks. The leaked information also puts employees at risk of identity fraud and ‘spear phishing’ attacks, where information is used to specifically target and individual. LawPRO has reported on spear phishing attacks across Ontario over the past few years.

RepKnight reports that most of the compromised information did not come from direct attacks, but rather resulted from breaches at third-party websites where law firm employees had registered using their work email addresses. Third-party service providers are a very common weak point for cyberattacks at organizations of all sizes.

Keeping client information confidential is one of the most important responsibilities of law firms. It is both a professional obligation and a key component of maintaining a firm’s reputation. Law firms which do not protect client data and their accounts may be at significant risk of breaching their fiduciary obligations, damaging their reputation, and losing money.

Sole practitioners and law firms both large and small must take steps to identify their cybersecurity risks and implement a plan to address these risks.