In November 2023, the BBC reported that approximately 80 law firms had been impacted by a cyber-attack on IT service provider, CTS. Home buyers were reported as being particularly affected because conveyancing firms were unable to complete property transactions. The personal impact on individual clients was widely reported:

‘If we don’t complete before 11 December our mortgage interest rate will jump from 3% to more than 5% which would cost us hundreds of pounds more a month.’

Law firms were unable to provide any reassurance to their clients as CTS posted updates on its website and on the social media platform X:

‘We are experiencing a service outage which has impacted a portion of the services we deliver to some of our clients. The outage was caused by a cyber-incident... We continue to work around the clock with the assistance of third-party experts. While we are confident that we will be able to restore services, we are unable to give a precise timeline for full restoration.’

CTS provided no timescale; few updates; and little information. And this is not uncommon. While all good advice is to react to a cyber-attack expeditiously, and the Information Commissioner’s Office (ICO) requires notification of any personal data breach within 72 hours, the information available to the victim of a cyber-attack is often limited.

And in the CTS case, the situation with regard to the information for law firms was even worse as it was not the legal company which was the target of the attack. This was a supply chain attack not targeting a specific law firm rather the service provider, CTS, which then impacted upon ‘downstream’ companies/organisations including at least one set of chambers.

So, if a set of chambers is not even the target of the attack, what can actually be done? Given the CTS incident occurred in the run-up to Christmas, good advice would be to listen to the words of Charles Dickens in A Christmas Carol:

‘I will live in the Past, the Present, and the Future. The Spirits of all Three shall strive within me. I will not shut out the lessons that they teach!’

Only by learning from the past and the present, and then considering the future, will the impact of these attacks be mitigated.

The past

I hate to say ‘I told you so’ but Counsel magazine has been predicting the rise of supply chain cyber-attacks since April 2022 (‘Cyber protect for 2022’), and the guidance Counsel provided to combat these types of attacks still applies (‘Avoid supply chain cyber-attack’):

  1. Complete the Questionnaire.
  2. Make training available for everyone.
  3. Identify internal weaknesses.
  4. Identify weak suppliers.
  5. Report any breach.

Since 2022, in addition to CTS’s cyber incident’, there have been attacks on Allen & Overy, Kirkland & Ellis, K&L Gates, Proskauer Rose, Ward Hadaway, Ince, and barristers’ chambers, 4 New Square. Yet there can still be a reluctance from some to access the guidance available, like the Questionnaire, or to complete IT training.

The past shows that even the most well-resourced organisations can be the victim of a cyber-attack. But that is more reason, rather than an excuse, to do everything possible to avoid ‘cyber weakness’. Members of chambers should use strong passwords; enable multi-factorial authentication; encrypt devices; avoid public WiFi; and back-up data. Some of these small steps may slow, inhibit or prevent cyber-attack, while others, like backing-up data, may be vital after an attack. The ability to restore from back-ups can entirely negate ransomware. But prevention remains better than cure, and individuals should try to ensure they are not the weak link in the supply chain.

The present

Most are aware that there is a regulatory landscape surrounding cyber-attack and the potential loss of personal data. However, the present scope of the scenery and the vastness of the landscape may only become clear when there is actual or potential harm. The ICO requires notification of any personal data breach within 72 hours. And if the breach causes a significant risk of harm, then the individuals’ who are the subject of the data breach will need to be notified. The ICO requirement applies to every data controller; however, there are likely to be several other organisations which will need to be notified if Chambers is subject to a data breach.

For chambers undertaking work for the Legal Aid Agency (LAA) the LAA Civil Contract Standard Terms state, at 16.11: ‘If at any time you suspect or have reason to believe that LAA Data or Shared Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then you will notify us immediately and inform us of the remedial action that you propose to take.’ The same provision appears, again at 16.11, in the 2022 Standard Crime Contract. Chambers working in the criminal courts, or undertaking work on behalf of the Attorney General, will also need to notify CJSM (Criminal Justice System eMail).

The LAA and/or CJSM may take immediate action to prevent data sharing if there is a risk to the integrity of their systems. Consequently, while notification to the ICO may result in an investigation, or potentially a fine, notification to the LAA and CJSM, which is mandatory, could result in an immediate interruption to work. Be prepared to highlight remediation steps to the LAA/CJSM on notification so as to prevent accounts being suspended.

The CTS breach will have led conveyancing firms to notify Lender Exchange, and individual banks or building societies may have suspended client accounts as a result of the ‘cyber incident’. This is less likely to be an issue for barrister’s chambers which will not be holding client money. However, securing chambers’ bank accounts and payment methods will clearly be at the top of the agenda. This should also extend to potentially notifying counterparties to be aware that bank transfer requests, or changes in payment details, may not be authentic.

Finally, it is highly likely that the subject of a cyber-attack will be contacted by the National Crime Agency (NCA). The NCA will triage the attack and decide on whether this will be incorporated into a national investigation or whether it requires a local or regional response. The NCA is an investigator rather than a regulator and its involvement should not be a matter of concern or worry.

Be careful of secondary attack. Just because a person contacts chambers on the telephone claiming to be an NCA officer does not mean that this is true. Check credentials before providing any response. The NCA will open a case through a report to Action Fraud. At the very least you should confirm the Action Fraud reference number, but best practice is to confirm credentials through a medium of alternative communication. Therefore, if you receive an email from the NCA confirm the author’s identity over the telephone. A similar approach should be adopted for any ‘ICO officer’ or your ‘bank manager’.

The future

Artificial intelligence (AI) and deepfakes are going to be used by more than ad-agencies. As AI increases in sophistication AI-powered attacks may lead to automated malware that intelligently adapts in order to evade detection or that can allow for simultaneous zero-day attacks. Cloud-based attacks are not unusual but future AI malware may be able to detect new cloud vulnerabilities and co-ordinate multiple actions so that synchronised cyber-attacks might arise without warning.

Deepfake social engineering may also lead to next-level phishing attacks. Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim. However, incorporating Deepfake images, audio or video within a phishing attack could lead to increased trust from the victim and more easily disclosed data. An avatar on an email or telephone message which has been generated from open-source social media might cause a person to believe that the content is genuine.

The future will therefore see the growth in ‘cyber resilience’ in comparison to cyber security. While the focus of cyber security is on preventing attacks, the realisation that there no infallible system means that resilience – the ability to restore and continue in the wake of a successful breach – will be the standard of the future. Chambers should consider the best way to minimise data loss and downtime as we move through 2024 and beyond. 

‘49% of chambers susceptible to email spoofing,’ audit finds

In a cybersecurity audit, BeCivil UK has uncovered a notable vulnerability among barristers’ chambers in the UK. According to the legal data company, the study, which was conducted in February 2024, found that nearly 49% of chambers are susceptible to ‘email spoofing’ – a deceptive technique where attackers impersonate a legitimate email sender. BeCivil UK’s analysis covered 337 barristers’ chambers with operational websites: ‘The findings are concerning: 163 of these chambers lack DMARC (Domain-based Message Authentication, Reporting, and Conformance) records, a vital defense against email spoofing. DMARC records play a crucial role in ensuring that an email sent from a domain is authentic, thereby hindering attackers’ efforts to forge email identities.’