Cyber Incident Victim: Ward Hadaway
Date:
Mar 2022
Location:
United Kingdom
Summary
A law firm was targeted in a cyber attack where confidential documents, including sensitive personal data and medical reports related to clinical negligence and Court of Protection cases, were stolen. The attackers demanded a ransom of up to $6 million in Bitcoin, threatening to publish the data, and partially uploaded encrypted files online. The firm detected the breach through its defense systems, contained the incident promptly, and secured a High Court injunction against the unidentified perpetrators for breach of confidence and Computer Misuse Act violations. External forensic specialists assisted the investigation, which revealed limited data impact, though the firm notified affected clients and reported the crime to regulatory bodies and law enforcement. Daily operations remained unaffected as the file management system was uncompromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2022, Ward Hadaway, a UK-based law firm, detected a cyber attack through its defense system, which triggered an alert on 9 March indicating potential unauthorized activity. The following day, an unidentified hacker emailed staff members, claiming to have downloaded confidential data and demanding a $3 million bitcoin ransom within one week, with the threat of doubling the amount to $6 million if unpaid. The attacker provided a list of copied files and data, some of which had already been uploaded to the web in encrypted form. The compromised IT systems contained extensive confidential information, including sensitive personal data and medical reports related to the firm’s work on clinical negligence claims and Court of Protection cases. On 9 March, the High Court granted an injunction against "person or persons unknown" responsible for the attack, prohibiting the use or publication of stolen data. Mr Justice Johnson ruled that the firm had a strong case for breach of confidence under the Computer Misuse Act, citing evidence of unlawful system access. The judge acknowledged the risk that the anonymous attacker might circumvent the injunction using technological anonymity but noted the potential for the order to curb further unlawful activity.
Ward Hadaway immediately contained the incident upon detection and engaged external forensic specialists to investigate, confirming limited data impact. The firm emphasized that its file management system remained unaffected, allowing day-to-day operations to continue uninterrupted. It notified potentially affected clients and coordinated with the Solicitors Regulation Authority, Information Commissioner’s Office, and law enforcement agencies regarding the criminal breach. The attacker’s actions exposed vulnerabilities in safeguarding sensitive client data, particularly medical records entrusted to the firm during legal proceedings. While no public data leaks were confirmed beyond the encrypted uploads referenced in court, the attempted extortion highlighted risks associated with ransomware targeting legal entities holding privileged information. The injunction represented a legal effort to mitigate reputational and operational damage, though its effectiveness remained uncertain due to the attacker’s anonymized infrastructure designed for untraceable bitcoin transactions.