Jones Day confirms hackers accessed client files in a significant cyber breach targeting one of the world's largest law firms
Jones Day, one of the world's largest law firms with significant London and European operations, has confirmed that hackers gained access to client files stored on its systems. The breach represents one of the most significant confirmed cybersecurity incidents at a major international law firm, given the sensitivity of the data held — which typically includes privileged communications, M&A deal documentation, litigation strategy, and regulatory correspondence. Law firms hold some of the most commercially sensitive data of any professional services sector: M&A deal terms, regulatory submissions, litigation strategies, and client financial information are all routinely stored across firm systems. A confirmed breach at a firm of Jones Day's scale — which advises on major transactions and contentious matters globally — raises acute questions about professional privilege, data protection obligations under the UK GDPR (General Data Protection Regulation — the UK's post-Brexit data protection framework), and the SRA (Solicitors Regulation Authority) obligations on firms to notify clients and regulators of breaches affecting client data. Under UK GDPR, a firm that suffers a personal data breach must notify the ICO (Information Commissioner's Office) within 72 hours if the breach is likely to result in a risk to individuals, and must notify affected data subjects where the risk is high. For a law firm handling confidential client information, determining what was accessed, whether legal professional privilege attaches to the data, and how to manage disclosure obligations creates a complex multi-jurisdictional legal challenge.
Why this matters
A confirmed breach at Jones Day activates immediate legal obligations under UK GDPR, EU GDPR, and equivalent US state-level data privacy laws — all simultaneously. The cross-border character of the firm's practice means that determining which regulatory regimes apply to which client data, and in which sequence notifications must be made, is itself a substantial legal task requiring coordinated advice across jurisdictions. For City firms, the story is also a direct competitive intelligence event: Jones Day's client roster and matter files are among the most commercially sensitive in global practice, and the breach raises questions about conflict of interest if adversarial parties obtained privileged documents. The 'why now' context is the broader escalation in state-sponsored and criminal cyber attacks on professional services firms, which the UK National Cyber Security Centre (NCSC) has flagged as a priority threat. Firms with cybersecurity, data protection, and professional regulation practices will see demand from peers and clients re-examining their own breach response protocols.
On the Ground
On a breach response matter, a trainee would draft sanctions screening memos to identify whether any of the threat actors involved are designated persons, and would assist with regulatory notification drafting for ICO and other applicable data protection authorities. Preparing choice-of-law summaries to determine which data protection regimes govern specific categories of client data would also be an early task.
Interview prep
Soundbite
Privilege and GDPR collide the moment a law firm's client files are exfiltrated — notification obligations do not pause for privilege claims.
Question you might get
“What are a law firm's obligations under UK GDPR when client files are accessed by hackers, and how does legal professional privilege interact with the duty to disclose the breach to affected clients?”
Full answer
Jones Day has confirmed that hackers accessed client files, marking one of the most significant confirmed cyber breaches at a major international law firm. The immediate legal consequence is a race against the 72-hour ICO notification clock under UK GDPR, alongside parallel obligations in EU member states and US jurisdictions. The commercial significance is acute: law firms hold privileged communications, deal documents, and litigation strategies that are uniquely sensitive, and a breach creates liability exposure to clients whose confidential information is compromised. This reflects a structural trend of professional services firms being targeted specifically because of the value of the data they hold. My view is that this will accelerate mandatory cyber insurance and incident response retainer requirements in law firm client engagement terms globally.
My notes
saved