When Attorney-Client Privilege is Breached: The Cascading Impact of Cyberattacks on the Legal Sector

Legal sector cybersecurity leaders face a stark reality: the American Bar Association reports that 29% of law firms encountered cybersecurity breaches in 2023, yet 60% of firms with 500 or more attorneys uncertain if they’ve been compromised. The financial toll is significant; the cost of a data breach in professional services averages $5.08 million, but these numbers only scratch the surface.
Take for example the 2023 breach at Genova Burns, which exposed client data including personally identifiable information, like Social Security numbers, of New Jersey-based Uber drivers. This incident serves as a reminder that beyond measurable monetary losses, cyberattacks unleash far-reaching consequences across client networks, lingering well beyond the initial violation.
For law firms, the pressing issue isn’t merely if a cyrberattack will strike, but when, and more importantly, if they could handle the fallout when confidentiality collapses.
 

Beyond Individual Firms: Cyberattack Statistics

Cybercriminals aren’t just targeting isolated law firms. They’re attacking the entire legal ecosystem. Consider these recent incidents:

• Global law firm Orrick, Herrington & Sutcliffe experienced a breach affecting 637,000 victims and ultimately paid $8 million in a class action settlement
• Business law firm Gunster paid $8.5 million following a breach that compromised nearly 10,000 people’s data
• The American Bar Association had 1.5 million lawyers’ login credentials hacked
• The State Bar of California suffered a leak of 260,000 confidential attorney discipline cases
• The U.S. federal judiciary warned of nationwide phishing scams targeting attorneys

The American Bar Association’s assessment of this surge in cyberattacks reflects deliberate targeting of an industry responsible for safeguarding extremely sensitive information.
 

The “Legal Supply Chain” Vulnerability

NINJIO Chief Innovation & Information Security Officer Matt Lindley identified a critical vulnerability unique to the legal sector: “Law firms are rarely isolated when it comes to cybersecurity threats. They’re integral nodes connecting clients, contractors, courts, and various stakeholders. If a breach occurs at any point in that network, it can cascade into the firm, or vice versa.”
This interconnectedness creates what security experts call the “legal supply chain,” a relationship network that cybercriminals exploit. The Genova Burns/Uber case, for example, demonstrates how breaches at one point affect clients throughout the chain. Similarly, when the IT services provider CTS was breached, 80 client firms faced operational disruptions.
Joshua Ray, founder and CEO of Blackwire Labs, reinforced this concept, saying, “Law firms need to think about themselves as integral parts of broader networks. They are often used as a jumping off point to attack clients, and there are many cases in which law firms have been exploited as third-party attack vectors.”
 

The Professional and Ethical Impact

When a cyberattack compromises a law firm, the damage extends far beyond immediate financial consequences. Consider Orrick, Herrington & Sutcliffe, an international firm specializing in helping clients respond to cybersecurity incidents that nevertheless suffered a major breach. This would inevitably affect future client confidence in the firm’s ability to protect sensitive information.
While class action lawsuits often follow these breaches, perhaps the most profound impact is the erosion of trust in a profession built upon confidentiality.
When client communications are compromised, the foundation of attorney-client privilege is undermined, potentially causing permanent reputational damage in an industry where confidentiality represents not merely best practice, but an ethical obligation.
 

Artificial Intelligence: Transforming Cybersecurity Threats

landscape for legal organizations. Lindley explains: “The convergence of AI with social engineering means legal teams will face attacks that mimic human touchpoints almost flawlessly.”
This sophisticated technology enables cybercriminals to craft convincing emails referencing specific legal filings and incorporating legitimate-appearing case law, all generated in seconds.
The era of easily spotted phishing attempts with obvious errors has given way to hyper-personalized attacks that even experienced attorneys struggle to identify.
Lindley anticipates AI will soon be employed “not just in front-end phishing, but also in identifying weak links within the legal services supply chain. Attackers will automate the discovery of vulnerable third-party vendors or partner portals, then use stolen credentials to pivot seamlessly between organizations.”
 

The Human Element: Key to Effective Cyber Defense

With Verizon reporting that 68% of breaches involve human error, technical solutions alone cannot secure legal organizations. The human element represents both the greatest vulnerability and the strongest potential defense.
Social engineering attacks specifically exploit psychological vulnerabilities common in the legal practice:

• Authority and Urgency: Attorneys are conditioned to respond promptly to courts, senior partners, and key clients, all of which are precisely the identities cybercriminals impersonate in targeted attacks.
• Confidentiality Obligations: The ethical duty to protect client information creates opportunities for manipulation through fear of potential data exposure.
• High-stakes Transactions: The large financial transfers common in legal practice make attorneys prime targets for business email compromise.

What makes these attacks particularly effective is their targeting of normal professional behaviors rather than technological weaknesses. As Lindley notes, “Cybercriminals specifically design attacks that target the day-to-day practices of legal professionals, making conventional detection much more difficult.”
Effective defense requires legal organizations to develop both technical protections and human-centered security awareness training that addresses these specific vulnerabilities. This includes developing verification protocols for sensitive requests, implementing multi-channel authentication for financial transactions, and building awareness of emerging threats facing the legal community.
As Lindley emphasizes: “When partners, boards, and executive leadership model secure behaviors and prioritize regular training, law firms foster a culture where every employee understands that data protection is not just an IT concern — it’s fundamental to ethical and effective legal practice.”
 

From Understanding to Action

For legal security leaders, understanding the cascading impact of cyberattacks represents only the first step. Translating this awareness into effective protection requires a comprehensive strategy that accounts for the unique challenges facing legal organizations.
To discover how leading firms are building effective defenses that protect not just systems but client confidentiality and professional reputation, download our comprehensive report: “NINJIO Insights – Human Cybersecurity in the Legal Sector.” This resource provides detailed guidance on creating a security culture that supports, rather than impedes, the practice of law in an increasingly digital world.
About NINJIO
NINJIO reduces human-based cybersecurity risk through engaging training, personalized testing, and insightful reporting. Our multi-pronged approach to training focuses on the latest attack vectors to build employee knowledge and the behavioral science behind human engineering to sharpen users’ intuition. The proprietary NINJIO Risk Algorithm™ identifies users’ social engineering vulnerabilities based on NINJIO Phish3D phishing simulation data and informs content delivery to provide a personalized experience that changes individual behavior.