How a 30-Person Law Firm Lost $73,000 in 48 Hours

This is a real story. Names and identifying details have been changed to protect the firm.

Henderson Legal (not their real name) is a 30-person personal injury law firm in Brisbane. They'd been using Microsoft 365 for 4 years. They thought they were secure.

They weren't.

Friday, 3:47 PM: The Breach Begins

Sarah, a paralegal who left the firm 6 months ago, received a phishing email that looked like it was from Microsoft. It warned her M365 account would be suspended unless she verified her credentials.

She clicked the link and entered her old work email and password. Within minutes, attackers had access.

The problem? Sarah's account was never disabled after she left. It still had active credentials. It was still assigned a Business Premium license. And it still had access to thousands of client emails.

Saturday, 2:14 AM: Discovery

A partner working late noticed unusual "shared with you" notifications in their SharePoint. Files they'd never seen before. Access requests from external email addresses.

They called their IT consultant. By 4 AM, they confirmed: someone had accessed the M365 tenant using Sarah's credentials and spent 8 hours downloading client files and emails.

The 48-Hour Timeline

Hour 0-8 (Friday night)

Attacker accessed 6,000+ client emails via Sarah's mailbox. Downloaded 247 client files from SharePoint. Accessed case notes, settlement agreements, medical records, financial documents.

Hour 12 (Saturday morning)

Breach discovered. IT consultant called in. Sarah's account disabled. Started investigating scope.

Hour 24 (Sunday)

Audit logs reviewed (thankfully they were enabled). Confirmed: 6,000 emails, 247 files, 89 clients affected. Privacy Act breach notification required.

Hour 36 (Sunday night)

Retained cyber security firm ($18,000) to investigate and secure environment. Retained privacy lawyer ($12,000) for OAIC notification.

Hour 48 (Monday morning)

Notified OAIC. Began process of notifying 89 affected clients. Partners calling clients personally to explain.

The Cost Breakdown

Total Cost: $73,400

  • Cyber security investigation: $18,000
  • Privacy lawyer (OAIC notification): $12,000
  • Credit monitoring for 89 clients (2 years): $15,800
  • PR/crisis communications consultant: $8,500
  • Lost billable hours (3 days, 6 staff): $14,400
  • IT remediation (MFA, security hardening): $4,700

This doesn't include:

What Made This Breach Possible

The forensic investigation found four critical security gaps:

  1. No MFA on Sarah's account — Password alone was enough to gain access
  2. No offboarding process — Sarah's account active 6 months after departure
  3. Excessive access rights — Paralegal had access to ALL client files (should have been need-to-know)
  4. No monitoring/alerts — 8 hours of file downloads went undetected

The Worst Part

Six months before the breach, Henderson Legal had a CyberChex M365 security assessment.

Our report flagged all four issues:

The remediation roadmap was sitting in their inbox. Priority: Immediate (48 hours).

They never implemented it.

"We were going to," the managing partner told us later. "It just kept getting pushed back. We thought we had time."

What They Did After

Post-breach, Henderson Legal implemented everything:

Cost to implement all of this? $4,700 and 12 hours of consultant time.

Cost of the breach? $73,400 in direct costs + $180,000 in lost clients = $253,400.

The Lesson

"We thought security was IT's problem. We learned it's a business risk problem." — Managing Partner, Henderson Legal

The assessment identified the risks. The breach proved them real. The only difference: timing and cost.

Could This Happen to You?

Here's a quick self-assessment. Answer honestly:

  1. Do you have MFA enforced on ALL M365 accounts?
  2. Do you have a formal offboarding process (disable accounts within 24 hours)?
  3. Do you review user access quarterly (who has access to what)?
  4. Do you have alerting configured for suspicious activity?
  5. Have you had a security assessment in the past 12 months?

If you answered "no" to any of these, you have the same gaps Henderson Legal had before their breach.

Don't Learn the Hard Way

Our M365 security assessment finds these gaps before attackers do. Delivered in 2-3 business days.

Book M365 Assessment - From $499 + GST

Final Thoughts

Breaches aren't usually sophisticated nation-state attacks. They're opportunistic criminals exploiting basic security gaps.

Henderson Legal wasn't targeted because they were special. They were targeted because they had an open door: an active account with no MFA and no monitoring.

The best time to fix your security gaps was 6 months ago.

The second-best time is now.

← Back to Blog