This is a real story. Names and identifying details have been changed to protect the firm.
Henderson Legal (not their real name) is a 30-person personal injury law firm in Brisbane. They'd been using Microsoft 365 for 4 years. They thought they were secure.
They weren't.
Friday, 3:47 PM: The Breach Begins
Sarah, a paralegal who left the firm 6 months ago, received a phishing email that looked like it was from Microsoft. It warned her M365 account would be suspended unless she verified her credentials.
She clicked the link and entered her old work email and password. Within minutes, attackers had access.
The problem? Sarah's account was never disabled after she left. It still had active credentials. It was still assigned a Business Premium license. And it still had access to thousands of client emails.
Saturday, 2:14 AM: Discovery
A partner working late noticed unusual "shared with you" notifications in their SharePoint. Files they'd never seen before. Access requests from external email addresses.
They called their IT consultant. By 4 AM, they confirmed: someone had accessed the M365 tenant using Sarah's credentials and spent 8 hours downloading client files and emails.
The 48-Hour Timeline
Hour 0-8 (Friday night)
Attacker accessed 6,000+ client emails via Sarah's mailbox. Downloaded 247 client files from SharePoint. Accessed case notes, settlement agreements, medical records, financial documents.
Hour 12 (Saturday morning)
Breach discovered. IT consultant called in. Sarah's account disabled. Started investigating scope.
Hour 24 (Sunday)
Audit logs reviewed (thankfully they were enabled). Confirmed: 6,000 emails, 247 files, 89 clients affected. Privacy Act breach notification required.
Hour 36 (Sunday night)
Retained cyber security firm ($18,000) to investigate and secure environment. Retained privacy lawyer ($12,000) for OAIC notification.
Hour 48 (Monday morning)
Notified OAIC. Began process of notifying 89 affected clients. Partners calling clients personally to explain.
The Cost Breakdown
Total Cost: $73,400
- Cyber security investigation: $18,000
- Privacy lawyer (OAIC notification): $12,000
- Credit monitoring for 89 clients (2 years): $15,800
- PR/crisis communications consultant: $8,500
- Lost billable hours (3 days, 6 staff): $14,400
- IT remediation (MFA, security hardening): $4,700
This doesn't include:
- 15 clients who moved to other firms (estimated $180,000 in lost revenue over 2 years)
- Increased cyber insurance premiums (+$9,000/year)
- Partner stress and sleepless nights (immeasurable)
What Made This Breach Possible
The forensic investigation found four critical security gaps:
- No MFA on Sarah's account — Password alone was enough to gain access
- No offboarding process — Sarah's account active 6 months after departure
- Excessive access rights — Paralegal had access to ALL client files (should have been need-to-know)
- No monitoring/alerts — 8 hours of file downloads went undetected
The Worst Part
Six months before the breach, Henderson Legal had a CyberChex M365 security assessment.
Our report flagged all four issues:
- FAIL: MFA not enforced on 12 accounts (including Sarah's)
- RISK: 8 inactive accounts still licensed (including Sarah's)
- RISK: No Conditional Access policies limiting access
- RISK: No alerting configured for suspicious activity
The remediation roadmap was sitting in their inbox. Priority: Immediate (48 hours).
They never implemented it.
"We were going to," the managing partner told us later. "It just kept getting pushed back. We thought we had time."
What They Did After
Post-breach, Henderson Legal implemented everything:
- MFA enforced on ALL accounts (no exceptions)
- Formal offboarding checklist (account disabled within 2 hours of departure)
- Conditional Access policies (block access from risky locations)
- Monthly access reviews (who has access to what)
- Security alerting (unusual activity triggers immediate notification)
- Staff security training (quarterly phishing simulations)
Cost to implement all of this? $4,700 and 12 hours of consultant time.
Cost of the breach? $73,400 in direct costs + $180,000 in lost clients = $253,400.
The Lesson
"We thought security was IT's problem. We learned it's a business risk problem." — Managing Partner, Henderson Legal
The assessment identified the risks. The breach proved them real. The only difference: timing and cost.
Could This Happen to You?
Here's a quick self-assessment. Answer honestly:
- Do you have MFA enforced on ALL M365 accounts?
- Do you have a formal offboarding process (disable accounts within 24 hours)?
- Do you review user access quarterly (who has access to what)?
- Do you have alerting configured for suspicious activity?
- Have you had a security assessment in the past 12 months?
If you answered "no" to any of these, you have the same gaps Henderson Legal had before their breach.
Don't Learn the Hard Way
Our M365 security assessment finds these gaps before attackers do. Delivered in 2-3 business days.
Book M365 Assessment - From $499 + GSTFinal Thoughts
Breaches aren't usually sophisticated nation-state attacks. They're opportunistic criminals exploiting basic security gaps.
Henderson Legal wasn't targeted because they were special. They were targeted because they had an open door: an active account with no MFA and no monitoring.
The best time to fix your security gaps was 6 months ago.
The second-best time is now.