Cyber Incident Victim: Allen & Overy

Allen & Overy experienced a cyberattack targeting a limited number of its servers, as confirmed by the firm in a November 2023 statement characterizing the event as a “data incident.” The breach did not compromise core systems critical to daily operations, including email and document management platforms. Immediate containment measures were implemented by the firm’s technical response team in collaboration with an independent cybersecurity adviser, though these steps caused some operational disruptions. The law firm emphasized business continuity despite these challenges, stating it continued to operate normally overall. An investigation remained ongoing to determine the scope of compromised data, with affected clients being notified as a priority. The firm reiterated that safeguarding client data confidentiality was an “absolute priority” in its public communications.

This incident occurred during a pivotal period for Allen & Overy, following partner approval in October 2023 of its planned merger with Shearman & Sterling to form a combined entity with approximately 3,900 lawyers. The firm explicitly confirmed the cyberattack would not affect Shearman & Sterling’s systems, citing their operational separation ahead of the merger’s expected May 2024 completion. The breach aligns with a broader trend of cyberattacks targeting major law firms, including Bryan Cave Leighton Paisner, Proskauer Rose, Kirkland & Ellis, DLA Piper, K&L Gates, and Orrick Herrington & Sutcliffe in recent months. No specifics regarding attack vectors, threat actors, or data exfiltration were disclosed publicly. The investigation focused on identifying impacted data while maintaining containment protocols established during the initial response phase.