Hackers have infiltrated the IT system of a national firm to harvest data before attempting to spread data through social media.
Duncan Lewis urged people not to open any links to Twitter accounts that may contain sensitive information as it worked to contain the data breach. The Gazette understands that on Thursday the firm secured a High Court Injunction preventing the use of, publication, communication or disclosure to any other person of any information obtained from Duncan Lewis’ IT systems.
It appears to be the latest law firm targeted by hackers in what is developing into a major headache for the legal profession and its regulators.
In a statement, the firm confirmed that its IT systems were hacked last Friday and it immediately worked with external forensics teams to ascertain the source and limit the impact.
A further update revealed that the hacker had published some of its staff and client data in a folder linked to a Twitter feed and shared these links to other accounts.
The firm said: ‘Duncan Lewis has reported this matter to its regulatory bodies and the National Crime Agency Action Fraud team. We have been working closely with them in their investigations and queries.’
Anyone who has been sent links to Twitter accounts with further links to the data is urged not to open them and to immediately delete any files or documents that may have been accessed.
Established 20 years ago, Duncan Lewis is one of the biggest legal aid providers in England and Wales and according to its last accounts, ending 31 March 2017, has more than 420 staff.
In December, London practice Anthony Gold Solicitors warned people to delete any emails purporting to be from the firm’s address after some 16,000 were sent under the subject line ‘Action Required – Matter for Attention’.
Earlier in the year, the Gazette reported that international law firm DLA Piper was reportedly among the victims of a global cyber-attack.
The Solicitors Regulation Authority, which receives around 40 reports of confidentiality breaches each month, stresses the importance of running the latest versions of software, in particular browsers and operating systems, and to keep them up to date.
In a report from December 2016 dealing with cyber security, the regulator said it recognises that no defence is perfect, but if firms lose client money or information, they must report these cases. The SRA said it will take a ‘constructive and engaged approach’, particularly if firms are taking steps to make good any losses to the client, and are looking to learn from the incident.