Cybersecurity: New Attack on a Scottish Law Firm

Jerome Lussan in collaboration with Charlotte Hide

How are cyberattacks evolving alongside technology? 

Cyberattacks are becoming increasingly troublesome, with technology evolving at an exponential rate, so is cyber crime. It seems that our industry is failing to match that evolution with the level of protection we have against the new threats caused by the development of technology. This makes us vulnerable to cyberattacks in two ways: i) inability to prevent the cyberattack and ii) inability to mitigate one. The end result is the fear of a heavy fine from the regulator, notably with regard to GDPR failures, but also of the risk of reputational risk, as well as attracting the attention of the FCA. 

The greatest target of cyberattacks is personal information with ‘identity theft reaching epidemic levels in the UK’ and incidents of up to ‘almost 500 a day’ according to the UK fraud prevention service. This exposes a staggering inability to prevent cybercrime both on an individual and corporate level, which started being punished by the FCA when the credit agency Equifax was fined £11 million in 2018. The fact that ‘53% of all UK fraud is online’ suggests that online crime has become more efficient than physical crime, with citizens of the UK being ‘20 times more likely to be defrauded at their computer than held up in the street’.  

This creates a large risk for personal information held by legal and financial corporations. The Scottish law firm Scullion Law was hit with such an attack as recently as February 2024, suffering huge consequences despite having GDPR processes in place. Tucker Solicitors LLP suffered a similar hit in 2018 but suffered punitive measures from the Information Commissioner’s Office (ICO) in addition to other consequences due to not having integrated GDPR processes.

Why do so many firms seem unable to prevent these attacks or manage them appropriately when they do happen, and are attacks in the legal and financial sectors really that pervasive? 

How to fight back? 

The two biggest corporate targets of cyberattacks are legal and financial firms as stated by IMF (International Monetary fund) Blog , likely due to the client-focused nature of their work.[1] Given the need for personal information to verify and allow financial transactions, the financial sector is ‘uniquely exposed to financial risk’ through a cyberattack. The biggest threat to firms in the financial sector is their own complacency, through which it is easy to assume that if you have not yet been attacked you will not be. From 2017 to 2022 statistics have stayed at ‘nearly 7 in 10 large companies identif[ying] a breach or attack’. Therefore, we can see that no improvements have been made to cybersecurity despite high numbers of attacks, turning complacency into blatant ignorance. This same view has been adopted by the FCA regarding financial firms’ failure to have correct processes and training in place to protect from and manage cyberattacks. 

Similarly, ‘65% of [law] firms have been a victim of a cyber incident’, and despite this baffling statistic ‘35% of firms still do not have a cyber mitigation plan in place.’ This ‘cyber mitigation plan’ would aim to prevent the attack from being successful in the first place, as well as an immediate plan of action to effectively minimise any potential damage. This is all part of the GDPR rules on minimisation so if you thought this was not relevant in itself, it is now, under the new laws. 

An effective ‘cyber mitigation plan’ should focus on transparency and minimising future risk, which could be done through the following: 

  • Immediately releasing all relevant information to any individuals whose data have been compromised. 
  • Having a clear and accurate public statement detailing the incident and its repercussions. 
  • Carrying out an immediate review of all GDPR processes to identify how the cyberattack was successful.
  • Improving and updating GDPR processes and relaying these changes to employees and customers. 
  • Working with police and IT experts to wipe leaked information from the internet where possible. [2]

An example of an effective cyber mitigation plan followed the cyberattack on Scullion Law, from whom 155GB of data was stolen at the end of February by a Russian ransomware operator. The firm prioritised absolute transparency, immediately notifying the relevant authorities and “individuals whose data [was] known to have been affected”. They have since been working with police and external experts to manage the damages and identified the weaknesses that allowed the attackers access. To conclude, they followed the steps of immediately addressing the issue, full public transparency, review of their cybersecurity and improvement to their GDPR processes.

On the other hand, the fining of Tuckers Solicitors LLP by the ICO in 2018 is a good example of how not to do things. Tuckers was attacked very similarly through ransomware, and, like Scullion Law, attackers were able to access the data they were seeking. However, Tuckers had no GDPR processes in place and was therefore fined £98,000 for not showing the level of preparation that allowed Scullion Law to avoid fines in addition to their other losses.[3]

In the financial sector, Equifax Ltd serves as a poster child for failing to mitigate the compromise of ‘the security of UK consumer data’ in 2018, being fined £11,164,400 by the FCA. Equifax’s response to the data breach was rather disappointing, with Equifax only finding out that ‘UK consumer data had been accessed 6 weeks after Equifax Inc discovered the hack’. This shows a lack of transparency both within the corporation as well as to the consumers whose data had been compromised. A staggering 13.8 million UK consumers had their personal data leaked, including: names, dates of birth, phone numbers, membership login details, partial credit card details and residential addresses.  

What earned Equifax their £11 million fine was not that the attack took place, but above all their lack of defence and mitigation of damages: 

1. The ‘cyberattack and unauthorised access to data was entirely preventable’. 

2. They had no cyber mitigation plan, instead making misleading ‘public statements on the impact of the incident on UK consumers’.  

It is important to note that ‘cyber mitigation plans’ should only be used as a safety net should initial cyber defences fail; the aim should still be to prevent cyberattacks from occurring in the first place. 

Following Scullion Law’s attack Jude McCorry, CEO of Cyber and Fraud Centre, has stated that she is “urging organisations to make themselves as cyber resilient as possible, and also to think of the data that they are custodians of and what would happen if this data was leaked or sold on the dark web.”  

Through this public statement, McCorry hits the two key points firms should consider when building their cybersecurity processes: 

  • Firms have a moral and ethical responsibility to protect their clients’ data. 
  • Preventing an attack is more effective than mitigating damage. 

Overall, it is evident that financial and legal firms prioritising their cybersecurity are better positioned to protect both their clients and themselves. Where Scullion Law is already back to fully functioning capacity as a business, not only did Equifax lose a huge sum of revenue but has still not recovered reputationally. 

How can we match our cybersecurity to the level of the technology we use? 

Whilst it is great that we can integrate new technologies to make our work more effective, cybersecurity must match these updates not to make stealing information more effective too. 

Elon Musk has stated at the National Governors Association summer meeting that “AI is a fundamental, existential risk for human civilization”, acknowledging the risk posed by AI despite Tesla depending on it conceptually. For example, whilst Tesla shows the potential effectiveness of AI through the concept of autonomous cars, Musk has repeatedly demonstrated awareness of how it could be used as a threat. 

This is the way that financial and law firms should perceive the virtual storage of client data: a system that could be attacked the very way that it is made more effective.  

Firms should be embedding GDPR processes and cybersecurity training straight into their standard systems, and use the GDPR rules to cause management to think about prevention. GDPR processes are necessary to demonstrate due diligence, and awareness of cybersecurity responsibilities, to prove cybersecurity to the FCA, and finally to protect the firm’s business itself. 

There are a few ways you can integrate these processes by using a regulatory software, such as Leo, through the following: 

  • Completing Compliance Monitoring to periodically review all aspects of GDPR compliance allowing you to think about weaknesses and improvements. 
  • Using GDPR Online Training modules which Leo allows you to issue in one or two clicks. 
  • Scheduling automatic cybersecurity ‘tasks’ to be completed when there is an employee data breach, for a third-party due diligence process, if someone asks for information etc. 
  • Scheduling regular reviews of your Privacy Policies with reminders to get them updated. 
  • Automatically include an Employee Declaration (Privacy Notice) for signing and documenting electronically to demonstrate understanding of your policies. 

Leo’s GDPR solution offers all the above to ensure compliance and evidence thereof which can help minimise fines. 

To conclude… 

Successful cybersecurity should evolve alongside technology – if we use technology to make our work more efficient, we have a responsibility to acknowledge that it makes crime more efficient too. Complacency has allowed for too many cyberattacks in which consumer and client-entrusted data has been compromised. Firms have a moral and legal obligation to have processes in place to prevent these attacks, and if all else fails, to mitigate potential damages. The latter should not be perceived as a first line of defence. Regulatory technology like Leo allows you to continue benefiting from the efficiency of technology, whilst integrating an awareness of the new dangers it poses.  


[1] https://www.imf.org/en/Blogs/Articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability#:~:text=The%20financial%20sector%20is%20uniquely,money%20or%20disrupt%20economic%20activity.

[2] https://www.scottishlegal.com/articles/scullion-law-becomes-victim-of-cyberattack

[3] https://ico.org.uk/media/action-weve-taken/mpns/4019746/tuckers-mpn-20220228.pdf

SM&CR: Accountability in an AI-enabled World

On the 9th of December 2023, it will be four years since the Senior Management and Certification Regime...

UK vs USA: RegTech Edition

The economic differences have always been the biggest and most interesting ones. However, today we want to focus...

Cryptoasset Firms Brought Under UK Financial Promotion Regulations: A Comprehensive Analysis

The rapid growth of the cryptocurrency market over the past decade, with digital assets becoming increasingly mainstream, has...