The Salesforce/Gainsight breach — and Salesforce's commendably transparent disclosure of compromise indicators and remediation progress — has pushed third-party cyber risk back to the top of the CISO agenda. Yet one category of vendor consistently escapes scrutiny: professional services firms. That blind spot carries serious consequences.
Law firms are especially dangerous vectors. The nature of legal work means a single compromised firm can expose M&A intelligence, litigation strategy, regulatory filings, and decades of client data simultaneously — and adversary targeting of the legal sector is accelerating. The downstream risk impacts can be severe and long-lasting.
The Industrialization of Legal Sector Attacks
The statistics are unambiguous. One in five U.S. law firms was targeted by a cyberattack in the past year, and 56% of those that suffered breaches lost sensitive client data in the process. The average breach now costs $5.08 million — a 10% year-over-year increase that doesn't account for long-term reputational damage or client defection.
RansomHub has emerged as the dominant ransomware threat of 2025, having absorbed talent from disrupted groups including LockBit and ALPHV/BlackCat. Its competitive advantage is structural: by offering affiliates a 90/10 profit split rather than the industry-standard 70/30, RansomHub has attracted the most capable operators in the criminal underground. Meanwhile, Qilin's Rust-based ransomware has specifically targeted legal entities with encryption-resistant payloads that make recovery extremely difficult.
The chart below, derived from Recorded Future analyst tracking of ransomware extortion sites, illustrates industry-by-industry growth in ransomware targeting — with legal firms holding the top position.
These are not opportunistic intrusions. Threat actors now routinely maintain dwell times of several weeks inside firm networks, methodically identifying the most valuable intelligence before triggering an extortion event. Attackers understand precisely what creates maximum leverage: M&A details during live transactions, litigation strategy ahead of trial, and years of retained client data spanning multiple matters.
Recorded Future telemetry from the past quarter identified more than 20 legal or legally adjacent firms with active malware communicating with malicious command-and-control (C2) infrastructure. For some firms, observed traffic lasted fewer than 24 hours; for others, persistence exceeded five days. A malicious implant does not automatically indicate a full breach or data exfiltration — but it is a meaningful signal and a critical input for organizations monitoring third- and fourth-party risk.
Infographic depicting recent malware dwell times observed across global legal firm victims
When Privilege Becomes Your Adversary's Weapon
Courts have steadily eroded attorney-client privilege protections for breach investigations, creating a trap in which forensic reports can become discovery ammunition. The Capital One decision ordered production of Mandiant's forensic report on the grounds that the investigator served "business purposes" rather than providing pure legal advice.
The risk compounds through the "sword and shield" waiver doctrine. Any use of breach investigation findings — including citing them in discovery responses — can trigger a subject matter waiver, requiring disclosure of all privileged communications related to threat assessment and remediation. The 2024 Samsung Data Breach ruling made this explicit: sharing forensic reports with 15 executives was deemed evidence of business decision-making use, defeating privilege entirely.
Federal Rule of Evidence 502 creates further exposure when incident reports are shared with regulators. In the 2023 Covington & Burling case, the SEC subpoenaed the firm for the names of 298 publicly traded clients whose data "may have been exfiltrated." A court ultimately ruled that only seven clients had to be identified — but the case established that law firms cannot completely shield client identities from regulators, and those named clients then faced potential SEC scrutiny for failing to disclose that their counsel had been breached.
M&A Intelligence Monetization at Scale
When Berkeley Research Group was hit by ransomware in March 2025 — during a $700 million leveraged buyout by TowerBrook Capital Partners — the attack exposed M&A intelligence spanning hundreds of concurrent deals. This wasn't merely data theft; it was a systematic opportunity for market manipulation.
Academic research puts a dollar figure on the damage. The Intralinks/Cass Business School study found that 8–10% of M&A deals leak annually, with leaked deals achieving median premiums of 47% compared to 27% for non-leaked deals — a 20-percentage-point gap worth millions per transaction. Leaked deals also complete at significantly lower rates: 49% versus 72%.
The Tyler Loudon case (2024) illustrated the criminal upside of that access directly: the defendant stole M&A information from his attorney wife and used it for insider trading, resulting in federal charges.
The Systematic Failure to Assess Professional Services Risk
Only 30% of law firms report that clients ask them to complete security questionnaires — and that's before accounting for the limited value of attestations as a measure of actual exposure. By contrast, SaaS vendors face near-universal security review requirements. This exemption culture likely stems from relationship bias and the flawed assumption that law firms are not "tech vendors," despite operating deeply technology-dependent businesses.
The scope of data concentration at these firms often goes untracked entirely. A single firm may hold M&A details, employee PII, trade secrets, litigation strategy, regulatory matters, and executive compensation data — often across business units that operate independently and have no visibility into one another's exposure. The 2023 Orrick breach exposed more than 637,000 individuals precisely because the firm had aggregated data from employment litigation, M&A transactions, and patent filings across its practice groups.
Retention practices make this worse. Lawyers traditionally "keep everything forever" — driven by risk-averse professional culture and regulatory requirements. Data from matters closed in the 1990s may still reside on unpatched legacy servers. Every additional year of retention increases cumulative breach exposure, yet most enterprises never ask outside counsel about deletion policies or data locations.
Strategic Actions for Enterprise Defense
Treating professional services firms as high-risk technology vendors requires structural changes to vendor management — not just updated questionnaires.
- Eliminate standing exemptions: Subject law firms and consultancies to the same security requirements as SaaS vendors — SOC 2 verification, independent audits, and quarterly assessments — without carving out relationship-based exceptions.
- Map concentration risk: Identify every professional services vendor with cross-functional data access. Calculate total organizational exposure when a single firm holds aggregated intelligence spanning HR, legal, finance, and compliance matters.
- Audit fourth-party dependencies: Require disclosure of critical subvendors — MSPs, cloud providers, SaaS platforms, and document management systems. A breach of fourth-party infrastructure becomes your breach through API token theft, credential harvesting, and VPN pivoting.
- Establish time-bound access: Issue purpose-limited credentials that expire at matter close. Eliminate long-lived access that persists in engagement archives and consulting code repositories.
- Define retention requirements contractually: Specify data deletion timelines with confirmation obligations, and audit compliance quarterly. Many firms retain data indefinitely on legacy systems without realizing the exposure this creates.
- Deploy breach detection: Place honeytokens in systems accessible to outside counsel and consulting firms. Establish 24–48 hour breach notification SLAs with emergency credential rotation capabilities built into your incident response plan.
- Create specialized incident response protocols: Develop playbooks specifically for law firm breaches that address privilege complications, litigation exposure assessment, and regulatory notification obligations — these differ materially from standard vendor breach response.
- Use threat intelligence to monitor vendor infrastructure: Map professional services firms' domain and IP space, and monitor for traffic between malware implants and C2 infrastructure. Recorded Future's Third-Party Intelligence automates this monitoring across the full vendor ecosystem, providing real-time alerts when professional services firms show compromise indicators. Combined with Ransomware Mitigation capabilities, organizations can track ransomware group TTPs, monitor extortion sites, and receive early warning when vendors surface on leak sites — enabling immediate access revocation and coordinated remediation.
The Bottom Line
The 2025 threat landscape leaves little room for ambiguity. With 21 law firm breaches recorded in just the first five months of 2024, and high-profile incidents such as Williams & Connolly's nation-state compromise and Berkeley Research Group's ransomware attack during an active M&A transaction, the pattern is well established.
When a law firm holding decades of your most sensitive data is breached, you don't have a vendor incident — you have a strategic intelligence compromise with multi-year competitive consequences. Traditional third-party risk frameworks that exempt "trusted advisors" from the scrutiny their data concentration demands are not just inadequate; they are a liability. Moving from relationship-based trust to risk-based verification is no longer optional.
Learn how Recorded Future's Ransomware Mitigation and Third-Party Intelligence solutions work together to defend against cascading vendor risk — from tracking ransomware groups targeting legal firms to monitoring your entire vendor ecosystem for real-time compromise indicators.