In April 2016, an anonymous source delivered 2.6 terabytes of data to investigative journalists. The files—all 11.5 million documents—came from Mossack Fonseca, a Panamanian law firm that had kept the financial secrets of world leaders, celebrities, and billionaires for nearly four decades. The leak exposed offshore holdings of 12 current or former heads of state, including Iceland’s Prime Minister, who resigned within days. Connections to Russian oligarchs. Financial dealings of some of the world’s most powerful people. The firm’s security failure was prosaic: an unpatched WordPress plugin, an outdated Drupal CMS, and 25 known vulnerabilities left unaddressed. Within two years, Mossack Fonseca closed its doors permanently.
A reporter once coined a line that got attributed to bank robber Willie Sutton. Sutton denied ever saying it — his 1976 autobiography made clear the attribution was apocryphal — but the logic has outlived the legend: you rob banks because that’s where the money is. The same arithmetic applies to law firms. You hack them because that’s where all the secrets are buried.
Why do hackers target law firms? Because a single breach can yield what would otherwise require penetrating dozens of corporations. Law firms concentrate the most sensitive information from multiple clients in one place: M&A deal intelligence, litigation strategy, client financial data, trade secrets, and government intelligence. The barrier to entry has never been lower, the potential payoff has never been higher, and most firms remain woefully underprepared despite clear ethical obligations to protect this information.
The Ultimate One-Stop Shop for Secrets
The arithmetic is simple. Breach a corporation, and you obtain that corporation’s secrets. Breach a law firm, and you potentially obtain the secrets of every client that firm has ever represented. Consider what sits on law firm servers: M&A deal intelligence enables insider trading on pending acquisitions. A litigation adversary will pay for strategy documents before depositions begin. Client personal information feeds identity theft, fraud, and blackmail operations. Trade secrets and intellectual property fuel corporate espionage. Criminal defense files contain information defendants would pay dearly to protect. Real estate files contain wire transfer instructions that attackers redirect to overseas accounts.
In December 2016, the U.S. Department of Justice charged three Chinese nationals with hacking into Cravath, Swaine & Moore and Weil, Gotshal & Manges to steal M&A intelligence. The attackers installed malware on firm servers, gained access to partner email accounts, and extracted documents relating to pending mergers including Intel’s $17 billion acquisition of Altera. The scheme netted over $4 million in illegal insider trading profits. U.S. Attorney Preet Bharara called it a “wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”
The Dark Web Economy: Hacking Has Never Been Easier
You don’t need to be a sophisticated hacker to breach a law firm anymore. The dark web has industrialized cybercrime, creating what security researchers call an “access-as-a-service” economy. Initial Access Brokers specialize in breaching networks and selling that foothold to ransomware operators. According to a 2025 Cyberint analysis, 58% of corporate network access now sells for under $1,000, with the median price around $500. Access typically sells within one to three days of listing, and victims appear on ransomware leak sites within 23 to 36 days. Ransomware-as-a-Service subscriptions cost affiliates 10–30% of the ransom collected, providing full attack infrastructure to anyone willing to pay. The criminals who gain initial access and the criminals who deploy ransomware are often entirely different groups, each specializing in what they do best.
VPN access has surged dramatically, more than doubling from 2023 to 2024, now challenging RDP credentials for the most commonly offered access type. The legal services sector ranks among the most frequently targeted industries, alongside business services and manufacturing. When access to a law firm network appears on these marketplaces, ransomware operators recognize immediately what attorneys often fail to appreciate: the concentrated value of legal files makes law firms extraordinarily attractive targets relative to the cost of initial access.
That market has a human face in the legal profession. In March 2024, a six-attorney estate planning firm in New Jersey fell victim to the Qilin ransomware group, one of the most active criminal organizations operating through the dark web access-broker market. The attackers encrypted every client file in the practice. Social Security numbers, driver’s licenses, trust documents, and family financial records belonging to hundreds of clients were compromised and threatened with public release. The firm waited five months before notifying victims. That delay triggered a class-action lawsuit. The attorneys had spent careers protecting the documents families trust no one else to hold. One successful access purchase — available on the open market at the going rate — undid decades of client trust.
AI-Powered Attacks: The New Force Multiplier
Artificial intelligence has transformed the threat landscape in ways that should concern every attorney. According to multiple 2025 industry analyses, over 80% of phishing emails now incorporate AI-generated content, producing flawless, personalized messages that bypass traditional spam filters and eliminate the grammatical errors that once served as red flags. [Note: primary sourcing for this figure comes from security training vendors KnowBe4 and Hoxhunt, both with commercial interests in phishing awareness — treat as directionally accurate pending independent corroboration.] What took human attackers hours to craft, AI accomplishes in minutes. Tools like WormGPT and FraudGPT, available on dark web marketplaces, generate polymorphic phishing campaigns where each email differs in subject lines, sender names, and content structure, rendering signature-based detection systems increasingly ineffective.
Social engineering extends beyond email. In early 2024, fraudsters used AI-generated deepfake video to steal $25 million from Arup, a multinational engineering firm. A finance worker at the company’s Hong Kong office received an email requesting a confidential transaction. When he joined a video call to verify the request, he saw what appeared to be the company’s CFO and several colleagues — all AI-generated recreations. The firm’s Chief Information Officer noted afterward: “None of our systems were compromised and there was no data affected. People were deceived into believing they were carrying out genuine transactions.” Voice cloning technology can now replicate an executive’s voice from as little as three seconds of audio obtained from earnings calls or conference presentations.
For attorneys whose clients communicate through standard phone calls and texts, AI-enabled phishing represents one exposure vector. The compromised telecommunications infrastructure documented in “The FBI Says Stop Texting” represents another. [See “The FBI Says Stop Texting: Here’s the Privilege Problem Nobody’s Discussing,” Morris Legal Technology Blog, 2025.] Together, they describe an environment where virtually every unprotected channel carries documented risk.
The Documented Carnage: 2024–2025 Statistics
Twenty percent of law firms surveyed in a 2025 Proton study of 500 U.S. firms reported being targeted by cyberattacks in the prior twelve months, with 8% losing or exposing sensitive data. A separate survey found that up to 40% experienced a security breach in the prior year, and of those breached, 56% lost sensitive client information. The average cost of a data breach for law firms reached $5.08 million in 2024, a more than 10% increase from the year before. Record ransomware activity in 2024 compromised over 1.5 million legal industry records. These numbers compound a documented failure of readiness.
Perhaps most concerning: 80% of law firms carried at least one technology insurance policy in 2023, but only 34% had an incident response plan. A full 65% of surveyed firms were unfamiliar with their legal obligations following a breach, and 42% were uncertain about their ability to recover. Firms that experience breaches face consequences that outlast the incident itself: 52% of clients express concerns about cybersecurity breaches, nearly 40% say they would fire or consider firing a firm that suffered one, and 37% said they would warn others about their experience.
The Skeptic’s Objection: “We’re Too Small to Be a Target”
“We don’t have M&A clients or government secrets,” the skeptic argues. “These attacks target BigLaw, not firms like ours.” This objection misunderstands both the threat landscape and the economics of cybercrime. Ransomware operators don’t discriminate by firm size; they scan for vulnerabilities, not prestige. The $500 network access and readily available ransomware tools work just as effectively against a five-attorney firm as against a 500-lawyer international practice. Every law firm holds valuable data: personal injury case files contain medical records and financial information; divorce files contain asset disclosures and embarrassing communications; criminal defense files contain information defendants would pay to protect; real estate files contain wire transfer instructions.
The resource constraint deserves its strongest form: a solo practitioner handling routine matters for lower-income clients faces a cost-benefit calculus that differs materially from a six-partner litigation boutique. Investing in enterprise endpoint detection, incident response retainers, and full-time IT security staff may genuinely exceed what the economics of a small practice support. That constraint does not excuse inaction. It defines its scope. The obligation under Rule 1.6(c) scales with the sensitivity of the information and the likelihood of harm. The six steps in the next section cost nothing or nearly nothing. The question is not whether protection requires unlimited resources. The question is whether the protection you provide is reasonable given the data you hold.
Small and mid-sized firms often face greater risk precisely because they carry weaker defenses and no dedicated security staff. The New Jersey estate planning firm breach described above involved a six-attorney practice. The class-action lawsuit that followed did not distinguish between large and small firms when calculating harm. You are a target because you have data worth stealing, systems worth holding for ransom, and potentially less protection than larger competitors.
Your Ethical Obligations Under ABA Model Rules
ABA Model Rule 1.1 requires attorneys to provide competent representation. Comment 8, adopted in 2012, specifies that competence requires “keep[ing] abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” This is not aspirational language; it is a competence requirement that 40 states have now adopted or have rules consistent with. Attorneys who remain willfully ignorant of cybersecurity fundamentals are not merely taking business risks; they are potentially violating their ethical obligations.
Model Rule 1.6(c) mandates that attorneys “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The Comments to Rule 1.6 identify factors for determining whether efforts are “reasonable,” including the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, and the cost and difficulty of implementing safeguards. This fact-specific, risk-based approach mirrors modern information security frameworks.
Formal Opinion 483 (2018) established post-breach obligations: lawyers must make reasonable efforts to detect breaches, stop breaches and restore systems, determine what happened, and communicate with affected clients concerning material loss or compromise of information. Formal Opinion 477R (2017) requires attorneys to take special security precautions, including encryption, when transmitting particularly sensitive information electronically. These opinions establish that cybersecurity is a core component of professional responsibility, not an IT concern to delegate and forget.
Practice Area Implications
Corporate and M&A practitioners face perhaps the most direct threat: the Cravath and Weil Gotshal breaches demonstrated that deal intelligence commands premium prices from those willing to trade on inside information. Litigation practitioners hold strategy documents, settlement discussions, and privileged communications that opposing parties would value. Estate planning and family law practitioners maintain detailed asset inventories, trust documents, and sensitive personal information that enables identity theft and blackmail. Criminal defense attorneys possess information defendants would pay substantial sums to protect. Real estate practitioners handle wire transfer instructions that represent immediate cash extraction opportunities. Healthcare law practitioners manage records subject to HIPAA notification requirements that compound the consequences of any breach.
What to Do Tomorrow
First, enable multi-factor authentication on every system that touches client data. MFA blocks the vast majority of credential-based attacks, and its absence represents an increasingly difficult position to defend as “reasonable” under Rule 1.6(c). Second, audit all user accounts immediately. Access often begins through old, rarely used accounts that remain active for convenience. Disable unused accounts and require strong, unique passwords for all active accounts.
Third, update all software promptly. Mossack Fonseca’s unpatched systems had 25 known vulnerabilities. Initial Access Brokers routinely exploit publicly known vulnerabilities in VPNs, firewalls, and remote access systems. Fourth, implement email encryption for sensitive client communications. Formal Opinion 477R establishes that encryption may be required when transmitting particularly sensitive information.
Fifth, develop and test an incident response plan before you need it. Two-thirds of firms lack such a plan despite most carrying cyber insurance. Your insurer may require one. You will need it when — not if — an incident occurs. Sixth, document all security measures. That documentation demonstrates “reasonable efforts” under Rule 1.6(c) and provides a defense in any subsequent disciplinary or malpractice proceeding.
What You Owe the Client Who Trusted You
Ramón Fonseca spent nearly four decades helping clients keep secrets. He was good at it. The firm his name helped build administered 14,500 companies across 200 jurisdictions. His entire business model depended on confidentiality. Then an unpatched WordPress plugin handed 11.5 million documents to a journalist, and the firm he spent a career building closed two years later.
The attorneys at Mossack Fonseca were not indifferent to their clients’ secrets. They were indifferent to the systems that held them. That distinction is the whole argument in one sentence.
The technology competence requirement in Comment 8 to Model Rule 1.1 is not a compliance checkbox. It is the profession’s formal acknowledgment that a lawyer who cannot protect client information in the digital age cannot be trusted with it. Catherine’s clients trust her with the financial details of their businesses, the strategy behind their litigation, the facts they have shared with no one else. That trust has a technical dimension. It always did. The profession simply refused to acknowledge it until the breaches made ignorance impossible to maintain.
MFA takes twenty minutes to enable. An incident response plan takes an afternoon to draft. The documentation that demonstrates reasonable efforts under Rule 1.6(c) can be assembled this week. The breach that ends a client relationship — or a practice — takes one successful phishing email.
Ramón Fonseca knew where all the secrets were. He simply forgot who was responsible for keeping them.
About the Author
JD Morris is Co-Founder and COO of LexAxiom, an AI platform for the business of law. He holds a Master of Legal Studies from Texas A&M University School of Law, a Master of Engineering from George Washington University, and dual MBAs from Columbia Business School and UC Berkeley Haas. He writes the Morris Legal Technology Blog under the series banner “The Technology Blind Spot.” Connect with him on LinkedIn at http://www.linkedin.com/in/jdavidmorris, on X at @JDMorris_LTech, or on Bluesky at @JDMorris-ltech.bsky.social.
References
1. ABA Model Rule 1.1, Comment 8 (Technology Competence) (2012).
2. ABA Model Rule 1.6(c) and Comments 18–19 (Confidentiality — Reasonable Efforts).
3. ABA Formal Opinion 477R (May 2017) — Securing Communication of Protected Client Information.
4. ABA Formal Opinion 483 (October 2018) — Lawyers’ Obligations After Electronic Data Breach or Cyberattack.
5. U.S. v. Hong et al., S.D.N.Y. (December 2016) — DOJ Prosecution of Law Firm Hackers.
6. ICIJ, Panama Papers Investigation — Mossack Fonseca Breach Documentation (2016–2019).
7. Sutton, Willie (with Edward Linn). Where the Money Is. Viking Press (1976). [Sutton’s denial of the attributed bank robbery quote.]
8. Proton, 2025 Law Firm Cybersecurity Survey (500 U.S. firms surveyed).
9. IBM, 2024 Cost of Data Breach Report — Professional Services / Law Firm Data.
10. Arctic Wolf / Above the Law — 2024 Law Firm Cybersecurity Survey.
11. Integris — 2025 Law Firm Cybersecurity Report: What Clients Really Think.
12. Cyberint (Check Point) — 2024–2025 Initial Access Broker Report.
13. ABA 2023 Legal Technology Survey Report — Cybersecurity TechReport.
14. CNN Business / Financial Times — Arup $25 Million Deepfake Fraud (February–May 2024).
15. KnowBe4 — 2025 Phishing Trends Threat Report. [Tier 6 vendor source; phishing AI-content statistic requires independent corroboration.]
16. Hoxhunt — 2025 Phishing Trends Report. [Tier 6 vendor source; corroborates KnowBe4 figure but shares commercial interest.]
17. Morris, JD. “The FBI Says Stop Texting: Here’s the Privilege Problem Nobody’s Discussing.” Morris Legal Technology Blog, 2025.
18. Morris, JD. “The $26 Hack That Should Terrify Every Law Firm.” Morris Legal Technology Blog, 2025.
19. Morris, JD. “The Six Week Silence: Breach Disclosure and the Duty to Communicate.” Morris Legal Technology Blog, 2025.
