Data breaches in UK legal sector increase by more than a third, impacting almost 8 million people

UK News

05
Feb
2025

Editor

Half of data breaches are caused by insiders – with human error leading to one in three incidents

A new analysis of data from the Information Commissioner’s Office (ICO) by NetDocuments has revealed a sharp increase in data breaches across the UK legal sector.  Between Q3 2023 and Q2 2024, the number of identified data breaches in the UK legal sector rose by 39% (2,284 cases were reported to the ICO, compared to 1,633 the previous year). Data relating to 7.9 million people was compromised, amounting to 12% of the UK population.

External breaches jumped from 40 percent to 50 percent of the total number of incidents in the past 12 months, with phishing attacks (56% of external attacks) being the most common threat to legal firms. However, insider breaches still accounted for half of all reported data incidents; and more than a third (39 percent) of internal breaches were deemed the result of human error.

“Legal data breaches impact more than one in ten people in the UK, so firms must continue to shore up their internal and external defences,” said David Hansen, VP, Compliance at NetDocuments. “At a time when the sector is continuing to digitalise, legal firms need to strike the right balance between keeping data secure, while still allowing their employees to collaborate and work productively.”

NetDocuments’ analysis of ICO data highlights the common internal causes of all data breaches in the legal sector:

• Overall, 39 percent of all data breaches occurred from human error (e.g., failure to redact or use bcc, alteration of data, hardware misconfiguration).
• 37 percent of all data breaches occurred from sharing data with the wrong person (e.g., via email, post or verbally).
• 12 percent of all data breaches occurred from losing data (e.g., loss/theft of device containing personal data, or of paperwork or data left in an insecure location).

Almost half of all internal and external cases (44 percent) impacted customers, while 18 percent impacted employees. Beyond basic personal information (42 percent), the most common types of data breached were economic and financial data (13 percent), health data (10 percent), and official documents (10 percent).

“This new analysis firmly underlines that the legal sector can’t ignore data protection. Firms handle sensitive documents every hour of every day, so maintaining security when introducing new technologies must remain the highest priority,” David Hansen continued. “Given the uptick in AI adoption, guardrails that mitigate against human error are also imperative. AI has the power to drive productivity and efficiency in the legal sector, but it must not compromise data security.”