Sensitive client data is increasingly stored and processed digitally. It seems everyone's first instinct is to put sensitive documents on the cloud, both for backup and to more easily access them when they're needed.. That's why robust cybersecurity practices are essential. Yet, as the recent Levales law firm data breach shows, even firms in sensitive sectors like criminal and military law can fall behind in adopting basic security measures. The consequences? Thousands of individuals affected, and sensitive, legally privileged data exposed on the dark web.
In this post, we break down the key details of the Levales breach and the vital cybersecurity lessons every business, particularly law firms, should learn from it.
What Happened?
Levales, a Hampshire-based law firm, recently fell victim to a cyber-attack, resulting in sensitive client data being published on the dark web. The attack affected 8,234 individuals, with 863 of those individuals deemed to be at high risk due to the exposure of special category data, including information about serious criminal offences and legally privileged details.
This breach happened when an unknown hacker gained access to the firm’s secure cloud-based server using legitimate credentials. The breach raised questions about how secure the firm’s IT infrastructure really was and what steps could have been taken to prevent such a disaster.
The Key Failures
While the hack itself was damaging, it was the firm’s failure to implement basic security protocols that exacerbated the issue. The Information Commissioner’s Office (ICO) found several critical vulnerabilities in Levales’ systems, highlighting the firm’s lack of Multi-Factor Authentication (MFA) and outdated cybersecurity practices.
1. No Multi-Factor Authentication (MFA)
One of the most alarming findings was the absence of MFA—a simple yet powerful security measure. MFA adds an extra layer of protection by requiring users to provide two or more verification factors to gain access to an account. This security layer could have prevented the hacker from gaining access, even with legitimate credentials.
The ICO called MFA a "basic measure" that should be implemented by any organization processing personal data. In the case of Levales, the failure to use MFA was a glaring oversight.
2. Poor Password Management
Levales relied on computer prompts for password management, and, even worse, had no formal password policy in place. This meant that the strength and rotation of passwords were left up to chance, making their system an easy target for malicious actors.
3. Lack of Oversight on Third-Party Providers
Levales had outsourced IT management to a third-party provider but did not actively monitor or review the security measures in place. The ICO noted that the firm was unaware of basic security measures implemented by their provider, such as detection, prevention, and monitoring capabilities.
Worryingly, the firm had not reviewed the technical measures in their contract with the provider since 2012—over a decade of potential vulnerabilities going unchecked.
The ICO’s Response
Given the severity of the breach and Levales’ failure to uphold GDPR compliance, the ICO issued a reprimand against the firm. The ICO stressed the importance of ongoing security reviews and contractual oversight with third-party IT providers to ensure the security of client data. This reprimand serves as a warning for other organizations to actively engage with their IT security, especially when outsourcing.
While Levales avoided fines, they have taken steps to improve their cybersecurity posture, including:
- Implementing MFA across all user accounts.
- Updating contracts with third-party IT providers.
- Conducting a full review of their IT systems to address weaknesses and upgrade their firewall.
Lessons for Law Firms and Businesses
The Levales breach serves as a cautionary tale for businesses, particularly those in sectors handling sensitive data like law firms. Here are the key takeaways for businesses looking to bolster their cybersecurity:
1. MFA is Non-Negotiable
MFA should be a standard security measure across your organization, especially when dealing with sensitive data. It provides an additional line of defense against unauthorized access, even if credentials are compromised.
2. Password Policies Matter
Implementing strong password management policies—requiring regular updates, complexity, and strength—is critical. Don’t rely on users to follow best practices without formal guidance. Consider using password managers and enforcing policies for creating and rotating strong passwords.
3. Know Your Third-Party Providers
Outsourcing IT management doesn’t mean outsourcing responsibility. Regularly review your IT providers' security measures, monitor their compliance, and ensure they are aligned with the sensitivity of the data you process.
4. Conduct Regular Security Reviews
Technology evolves rapidly, and so do cyber threats. Conduct regular reviews of your IT infrastructure, policies, and contracts to ensure they are up to date and can adequately protect your business.
The Future of Cybersecurity in the Legal Sector
This breach comes in the context of broader concerns about cybersecurity in the legal sector. In June 2023, the National Cyber Security Centre (NCSC) released an updated Cyber Threat to the Legal Sector report, highlighting the growing risks facing law firms. The report stressed the importance of cyber awareness and the need for firms to adopt both technical and organizational measures to combat evolving threats.
The NCSC has issued guidance specifically for small to medium-sized law firms, providing practical tips on how to reduce the risk of becoming victims of cyber-attacks. These include using MFA, conducting regular penetration tests, and reviewing contracts with external providers.
Final Thoughts
The Levales law firm breach highlights the severe consequences of neglecting basic cybersecurity measures. While no organization is immune to cyber-attacks, proactive measures such as MFA, strong password policies, and ongoing security reviews can significantly reduce risk. As the legal sector faces growing cyber threats, firms of all sizes must prioritize data security to protect their clients, their reputation, and their business.
Are you confident in your organization’s cybersecurity measures? Reach out to us today for a consultation to ensure your firm is prepared to defend against the next cyber threat.