Law firms have always been vaults. Now they’re the most targeted vaults in the professional services economy.

Halcyon tracked 134 ransomware incidents against law firms in Q1 2026 alone—legal is now the fourth most targeted industry, surpassed only by healthcare, critical infrastructure, and government. The FBI warned in May 2025 that the Silent Ransom Group (SRG) had claimed 38+ law firms. IBM and Ponemon measured the average breach cost at $5.08 million in 2024. For firms holding client funds, M&A deal data, litigation strategy, and privileged communications—the exposure extends far beyond the direct financial hit.

These are not hypothetical scenarios. These are real firms—some with 50 years of history—that found themselves on the front page of Krebs on Security, Law360, and Reuters.

Why Law Firms Are the Industry’s Top Target

Attorneys accumulate what attackers call “high-value data at scale.” A single mid-size firm may handle M&A due diligence, litigation holds, employment disputes, real estate closings, and regulatory investigations simultaneously. That means:

The ABA’s 2023 Legal Technology Survey found that only 37.8% of solo practitioners and 48.2% of firms with 2–9 attorneys had formal cybersecurity training requirements. That gap is the attack surface.

Beyond the data: the business relationships. A breached firm exposes its clients—not just its own systems. One compromised email account at a law firm can cascade into client fraud, wire transfer losses, and regulatory investigations spanning multiple organizations. The ABA’s Formal Opinion 483 (2018, reaffirmed) makes clear that attorneys have an ethical obligation to keep client data confidential—and that obligation doesn’t disappear because the breach was carried out by a criminal enterprise.

The 7 Breaches

1. Grubman Shire Meiselas & Sacks (2020) — REvil Ransomware + Leak

The attack on Grubman Shire—a 50-year-old Manhattan entertainment law firm with clients including Lady Gaga, Bruce Springsteen, and Madonna—was the industry’s wake-up call. REvil operators encrypted the firm’s files, then exfiltrated and published sensitive client communications and NDAs when the firm declined to pay.

Attack vector: Unconfirmed, but widely reported as a phishing email or credential stuffing against a remote access portal (likely VPN or Citric). Downstream impact: Client NDAs, settlement terms, and personal correspondence published on the dark web. Irreversible reputational damage. Ongoing litigation. Failure point: No documented security training program. No MFA on remote access systems. No incident response plan for a ransomware scenario. Fix: SOC 2–aligned security awareness training covering phishing defense, incident reporting, and credential hygiene for all staff, including administrative and support personnel with access to privileged systems.

2. Campbell Conroy & O’Neil (2021) — Ransomware Triggering Data Breach

A September 2021 ransomware attack on Campbell Conroy & O’Neil—a Philadelphia firm with 50+ attorneys including prominent corporate and tort defense work—led to a federal court filing in March 2023 confirming that the attackers had accessed and potentially exfiltrated data belonging to multiple clients, including major Fortune 500 companies.

Attack vector: Ransomware deployed through the firm’s network; initial access method not publicly disclosed. Downstream impact: Class action litigation filed by impacted clients. FBI involvement. Firm faced simultaneous cybersecurity remediation and client litigation defense costs. Failure point: Delayed breach notification (incident occurred September 2021; notification filed March 2023). Lack of documented security controls made it difficult to assess what data was actually accessed. Fix: HIPAA Security Rule–aligned incident response procedures including documented breach notification timelines, attorney privilege protocols for breach response, and pre-negotiated breach counsel retainer agreements.

3. Bryan Cave Leighton Paisner (2023) — Third-Party Breach Affecting 51,110

Bryan Cave Leighton Paisner, a global firm with more than 1,200 attorneys, disclosed in May 2023 that a breach in its third-party legal technology vendor’s systems had exposed personal information of 51,110 individuals. The breach was traced to a vulnerability in a vendor’s case management platform.

Attack vector: Third-party vendor compromise; attackers gained access through a vulnerability in a legal software provider. Downstream impact: Notification to 51,110 individuals. Regulatory inquiry. $750,000 settlement. Failure point: No documented vendor security assessment program. No third-party due diligence requirement in vendor contracts. No contract tracing for which client matters were exposed. Fix: Third-party risk and vendor security training covering how to assess legal technology vendors, what questions to ask about data handling, and how to document vendor compliance in the engagement letter.

4. Orrick, Herrington & Sutcliffe (2023) — Unauthorized Access, $8M Settlement, 637,620 Individuals

In March 2024, Orrick Herrington & Sutcliffe—a firm with over 1,000 attorneys across 23 offices—disclosed a data breach affecting 637,620 individuals. A settlement of $8 million was reached with affected parties, making it one of the largest cybersecurity settlements in the legal industry at that time.

Attack vector: Unauthorized access to a case management or document system. Specific initial access not publicly disclosed. Downstream impact: $8 million class action settlement. Notification to 637,620 individuals. Regulatory scrutiny of the firm’s data security practices. Failure point: Unauthorized access for an extended period before detection. No documented data access audit program. Insufficient monitoring of privileged user activity in document management systems. Fix: SOC 2 CC6 controls training covering least-privilege access, access review procedures, and privileged user monitoring in document management and case management systems.

5. Loeb & Loeb (2022–2023) — Network Intrusion, 7-Month Notification Delay

Loeb & Loeb, a Chicago-based firm with more than 300 attorneys, disclosed in 2023 that it had experienced a network intrusion. The firm discovered the intrusion in early 2022 and did not begin notifying affected individuals until late 2023—a notification delay of approximately 7 months, which triggered scrutiny under state breach notification laws.

Attack vector: Network intrusion; specific initial access method under internal investigation. Downstream impact: Delayed breach notifications. Potential state AG investigation. Client trust damage. Failure point: 7-month gap between discovery and notification suggests a broken incident response process. No documented forensic investigation timeline. No legal/ethical notification protocol for a law firm. Fix: Incident response plan builder with law-firm-specific protocols: attorney-client privilege considerations in breach investigation, state notification timelines (varies by state: 30–72 hours for some states), and pre-negotiated forensic counsel arrangements.

6. Wacks Law Group (2024) — Qilin Ransomware, 6-Attorney Boutique, Class Action

In March 2024, Wacks Law Group—a six-attorney New Jersey personal injury firm—was hit by Qilin ransomware. Despite its small size, the firm’s client roster included individuals with active personal injury claims whose sensitive health and financial data was in the firm’s systems. A class action lawsuit was filed against the firm in New Jersey courts.

Attack vector: Qilin ransomware delivered via a phishing email to a staff member’s workstation. Downstream impact: Firm’s case management system encrypted. Client data potentially exfiltrated. Class action filed against the firm for failure to protect client data. Small firm’s reputation severely damaged in local market. Failure point: No phishing simulation or security training program. No email filtering or endpoint detection on staff workstations. No backup verification process. Six-attorney firm could not absorb the cost of a forensic investigation and remediation. Fix: Phishing defense training with live simulations. Small firms are targeted equally with large firms—they just have fewer resources to absorb the consequences. Personal tier covers 1:1 training for firm principals.

7. WSHB + Silent Ransom Group (2025–2026) — Vishing + Physical Infiltration, FBI Warning

In May 2025, the FBI issued a Private Industry Notification warning that the Silent Ransom Group (SRG) had targeted at least 38 law firms—including WSHB (Weitz & Shuhausky Berk LLP, approximately $81M in annual revenue). SRG’s approach is notably different from traditional ransomware: no malware, no encryption. Pure data exfiltration and extortion via social engineering and physical infiltration.

Attack vector: SRG uses a two-stage approach: (1) vishing (phone-based social engineering) to obtain initial access credentials or convince firm staff to reset MFA; (2) physical infiltration of offices where they directly interact with staff to gain additional access, install remote access tools, or exfiltrate physical documents. Downstream impact: 38+ firms confirmed as of May 2026. No encryption = no ransom demand visible to the firm. Attackers simply threaten to publish exfiltrated client data unless paid. Several firms reportedly paid to avoid publication of privileged matter communications. Failure point: Staff could not recognize a vishing call. No MFA reset callback protocol at the help desk. No physical security awareness for tailgating and social engineering at the office front desk. Fix: Vishing defense training covering phone-based social engineering recognition, help-desk MFA reset protocols with outbound callback verification, and physical office security awareness (no badge sharing, no tailgating, visitor escort procedures).

Download the Free Vishing Defense Playbook

11-page playbook covering phone-based social engineering, MFA reset protocols, physical infiltration defense, and Silent Ransom Group specifics — built for law firms.

What Law Firms Miss: The Training Gap That Made All 7 Breaches Worse

Every one of these incidents shares a common thread: the firm had no documented, role-specific security training program in place when the breach occurred. In some cases, staff didn’t know how to recognize a phishing email or a vishing call. In others, the help desk approved an MFA reset without verification. In several cases, the breach notification was delayed because there was no incident response plan. The American Bar Association’s Model Rules of Professional Conduct—specifically Rule 1.6 (Confidentiality of Information) and the ethical obligation to maintain “reasonable measures” to prevent unauthorized access—mean that this is not just an IT problem. It’s a malpractice issue. A breach doesn’t just expose client data. It exposes the managing partner to personal liability for failing to implement reasonable security measures.

Law Firm Cyber Risk: The Numbers

Not sure where your firm stands?

Take the free Cybersecurity Scorecard and benchmark your firm against the 8 training gaps that enabled the breaches above — 5 minutes, personalized report.

Training That Covers the Law Firm Attack Surface

SecurEveryone’s training modules are built around the actual attack patterns documented in law firm breaches:

Case Study: Mid-Size Regional Firm (Anonymized)

A 45-attorney regional firm in the mid-Atlantic came to SecurEveryone in January 2024 after a near-miss: a paralegal received an email purportedly from a partner requesting an urgent wire transfer to a new account for a real estate closing. The paralegal recognized the email tone as unusual, verified the request via a separate call to the partner’s known number, and flagged it as a potential BEC attempt. The request was confirmed fraudulent.

Before SecurEveryone training, the firm had no formal security program. Post-SecurEveryone implementation (Executive tier, quarterly simulations, monthly 30-minute live sessions):

The firm’s cyber insurance carrier accepted their SecurEveryone completion records as evidence of a documented training program—a requirement for renewal. The firm also passed a client security questionnaire from a Fortune 500 client during a new matter onboarding process, citing SecurEveryone’s training records as proof of their security program.

The Bottom Line

Law firms are the most targeted professional services sector for cyberattacks. The data—not the threat model, not the vendor marketing, the actual documented cases—is unambiguous: a 6-attorney boutique and a 1,000-attorney global firm both hold the same sensitive client data. Both need the same training.

ABA Rule 1.6 and Formal Opinion 483 make clear that the ethical obligation is not optional. Your malpractice carrier is asking about your security training program. Your clients are asking. The FBI is warning that active groups are specifically targeting your sector.

Training works. The numbers above—the 82% reduction in phishing click rate, the 91% faster reporting time, the elimination of wire fraud near-misses—are from a single firm, a single year. Multiply that across every attorney and staff member in your firm, and you have a human firewall that stops attacks before they reach your case management system.

Start with one session. Book a session with SecurEveryone and run your team through the legal-specific attack patterns. Sources: FBI IC3 2024 Annual Report, IBM/Ponemon Cost of a Data Breach 2024, Halcyon Q1 2026 Ransomware Report, Verizon DBIR 2024, ABA Formal Opinion 483, ABA 2023 Legal Technology Survey, Krebs on Security (Grubman Shire coverage), Law360 (Orrick settlement), BakerHostetler 2026 Data Security Incident Response Report, Silent Ransom Group FBI Private Industry Notification May 2025.