wtlawllp.co.uk
Added Jul 9, 2026
Revenue: 5,000,000 Size: 19GB | WT Law LLP: Internal Documents of a UK Law Firm PROLOGUE Inside: full credit reports with data from three credit bureaus—on the firm's current employees, marked by the publisher as "Store and Destroy Securely." Bank account details with full transaction histories. Real estate purchase and sale agreements with buyer, seller, and price information. A personally signed Annual Risk Review protocol in which the Managing Partner explains why the firm decided not to insure against cybercrime—and why he believes the PI policy will cover a cyberattack on client funds. An open client insurance claim—nearly two years with no payouts and no reserves. Claims against the firm. A data map: NI numbers, bank details, and sources of funds across 500 open matters. An AML audit in which not a single employee was interviewed—and the firm officially acknowledged this in its response to the regulator. In this article, you will be able to review only a portion of the data we have chosen to disclose. Everything else you will be able to download and review on your own after the full archive is published. --- Part I. Who Is WT Law LLP WT Law LLP is a UK law firm (Limited Liability Partnership), regulated by the SRA (Solicitors Regulation Authority). It specializes in conveyancing, private client matters (wills, powers of attorney, probate), as well as property and corporate disputes. Registered office: 3rd Floor, 46 Aldgate High Street, London EC3N 1AL Lexcel accreditation: continuous since 2015 (annually confirmed by Recognising Excellence Limited) CQS accreditation: active (renewed May 2026) Cyber Essentials: not held The firm handles approximately 500 open client matters . Of the 11 listed employees, only 6 fee earners are actively handling cases. All key regulatory roles (COLP, COFA, MLRO, MLCO, DPM) and the Managing Partner status are concentrated in one individual— Andrew Wong . --- Part II. Strategic Business Plan: Finances and Risks Cyber insurance: HIGH-priority, ignored three times. Among the key 2025 objectives in the risk management section: | Task | Deadline | Risk Level | |---|---|---| | "Consider Cyber Indemnity" | March 2025 | HIGH | By March 2025, the task had not been completed. In the June 2025 annual risk review—again, no progress. In the June 2026 risk register—still "Cyber Insurance is not currently in place." The firm assigned itself a HIGH-risk task with a specific deadline—and ignored it for over a year and a half. "Business Development: None at present" — that is exactly, verbatim, what is recorded in the corporate objectives section. No budget, no client acquisition plan exists. New client acquisition historically happens through connections in the Chinese-speaking community—and only through them. File closure—an ongoing HIGH-risk task. Another entry in the objectives table: | Task | Deadline | Risk Level | |---|---|---| | Close 10–15 matters per month | Ongoing | HIGH | This is documentary evidence of a chronic problem with unclosed files—systemic, not one-off. The figure of 500 open matters in the 2026 Lexcel report confirms the issue was never resolved. Sole control is documented. The business plan explicitly establishes: The person simultaneously holding six regulatory roles is the only one who hires staff, the only one who authorizes client fund transfers, and the only one who receives all management feedback within the firm. --- Part III. Full Credit Report The most critical documents—a full credit report on the names of the firm's current employees. This is one complete credit report spanning 50 pages , generated by CheckMyFile on August 4, 2025. Data was obtained simultaneously from three credit bureaus: Experian, Equifax, and TransUnion. Subject of the report: | Field | Data | |---|---| | Name | Mr Malachy Mcdermott | | Date of Birth | 7 April 1977 | | Address | Flat 4, 140 Hornsey Lane, London N6 5NS | | Credit Score | 846 | | Report Date | 4 August 2025 | Identified credit accounts from the report: American Express (card ending in 057) - Opened: 20 August 2020 - Balance: £2,919 - Limit: £10,000 - Status: Normal (all payments up to date) - Payment history: full—from 2020 to 2025 Capital One (card ending in 5015) - Opened: 14 April 2015 - Balance: £366 - Limit: £4,000 - Status: Normal - Payment history: included in the report And these are just the first two accounts. The report is 50 pages long—it contains the subject's entire credit history over the last 6 years, covering mortgages, credit cards, installment plans, and any defaults. The document carries a publisher's warning: "Personal and Confidential Document—Store and Destroy Securely." Malachy Mcdermott is the same individual listed on the WT Law LLP staff roster as of March 2, 2026, as Consultant Solicitor (Property) with an effective date of February 1, 2011 (see Part XI). A complete personal credit report of a current firm employee ended up in the obtained archive—despite the explicit destruction requirement stated on the document itself. --- Part IV. Bank Account with Full Transaction History A bank statement for an account at Lloyds Bank. Such documents are requested from clients in real estate transactions as proof of source of funds. Account details: | Field | Data | |---|---| | Account Holder | Mr Ajinkya Potdar | | Address | 127 Boardwalk Place, London E14 5SG | | Account Type | Club Lloyds | | Sort Code | 30-96-38 | | Account Number | 35591062 | | Balance | £7,841.63 | | June Credits | £12,901.49 | | June Debits | £8,907.37 | | Balance | £11,835.75 | Transaction breakdown: | Description | Amount | |---|---| | Amazon UK Services (FPO) | -£2,757.37 | | N Earkasem (FPI) | +£5,000.00 | | Winkworth Bow (SO) | -£2,600.00 | | LBTH Council Tax (DD) | -£171.00 | | F/Flow Nitin Ram P (TFR) | +£4,360.00 | Winkworth Bow—a real estate agency in Bow, East London: a £2,600 payment by standing order. Sort code 30-96-38 and account number 35591062 are sufficient to initiate unauthorized payment instructions via Faster Payments or for verification over telephone banking. --- Part V. Real Estate Transaction: Names, Addresses, Prices Conveyancing is WT Law LLP's primary practice area. Client files for real estate transactions contain a full package of confidential documentation: agreements, buyer and seller data, prices, bank details. Property: 135 Western Road, Brighton BN1 2LA A commercial leasehold property registered with HM Land Registry (Title EX407962). 2022 sale: Daniel-Alin Badea (Flat 3, 15 Charlotte Street, Brighton BN2 1AG) and Danut Mihaita Busica (Flat 11, 57 Marine Parade, Brighton BN2 1PN)—sellers—assigned the lease to Gonggam BN Limited (Company No 10724059, 30 York Place, Brighton BN1 4GU). | Parameter | Data | |---|---| | Total Transaction Price | £45,000 (excl. VAT) | | Leasehold Value | £35,000 | | Contents Value | £10,000 | | Buyer's Conveyancer | WT Law LLP , 46 Aldgate High Street, London EC3N 1AL | | Seller's Conveyancer | Hudson Morgan Williams Solicitors, 100 High Street, London N14 6BN | | Buyer Contact Person | Geon Woo Ko, 7 Silver Birch Close, Rowan Avenue, BN3 7NU | Also present is a signed contract page for the same property with different parties: Matthew Dominic Sheldon (seller) and Karin Mathilde Martina Artmann (buyer)—meaning the firm holds documents from multiple independent transactions on a single property. --- Part VI. Annual Risk Review 2024: How the Cyber Insurance Policy Took Shape The June 2024 Annual Risk Review is present—a similar document to the 2026 one, but two years earlier. Its existence allows us to trace when management's position on key issues was formed. The position that "the PI policy will cover a cyberattack" has existed since at least June 2024. This is not an ad-hoc decision—it is an established policy that has been recorded in official documents for two consecutive years. At the same time, the January 2025 Strategic Business Plan lists "considering cyber insurance" as a HIGH-priority task with a March 2025 deadline—meaning one hand of the firm recognizes it as a priority, while the other year after year decides to take no action. SRA AML inspection. Between February and April 2024, the SRA conducted a routine AML inspection of the firm via a remote desktop review, concluding in May 2024. The specific findings of the inspection are not disclosed in the documents. Phishing simulation. The 2024 document announces a measure: "The firm is planning to send a fake phishing email to staff as a test of cybercrime preparedness." Later 2025–2026 documents do not mention the results of this test. Consideration of Thirdfort. The document records an intention to consider the Thirdfort platform for AML client verification—"at early stages of consideration." Thirdfort does not appear in subsequent documents. Signed: Andrew Wong . --- Part VII. Risk Register 2025: Two HIGH Risks Instead of One | Risk Category | June 2025 Rating | June 2026 Rating | |---|---|---| | Cybersecurity | HIGH | HIGH | | Managing Claims | HIGH | Medium | | Strategic Risks | Medium | Medium | | Regulatory Risks | Medium | Medium | | Financial Risks | Medium | Medium | | Operational Risks | Medium | Medium | | AML Risks | Medium | Medium | In 2025, claims management was rated HIGH . By 2026, it was downgraded to Medium—despite the Hoi Wan Lam claim remaining unresolved throughout that period (see Part XI). The 2025 register also confirms: " Cyber Insurance is not currently in place "—the same wording as in 2026, and the same policy that contradicts the January 2025 Strategic Business Plan, which listed it as a HIGH-priority task for March 2025. Additionally, the 2025 register records: PII (Professional Indemnity Insurance) renewed in October 2024 , SRA conducted a routine AML inspection between February–April 2024, concluding in May 2024. --- Part VIII. Training Plan October 2025: Managing Partner Did Not Complete His Own Training Planned training expenditure for 2024/25 was £2,000—actual spend was £1,000 . The 2025/26 budget has been restored to £3,000. Andrew Wong himself did not complete mandatory training. The Managing Partner's individual development plan lists the following as incomplete: | Course | Status (October 2025) | |---|---| | COLP/COFA Training | Not Completed | | MLRO/MLCO Training | Not Completed | The person holding all four roles alone had not completed the relevant training for any of them as of October 2025. Waihar Lam: "N/A" across all categories. Consultant Solicitor, on staff since October 2020—"N/A" for each of the 12 mandatory training categories, including AML, cybersecurity, and data protection. Sharan Thethi: crossed-out line. The table includes an employee with a crossed-out name—apparently someone who left. Name: Sharan Thethi. Deadline for completion of all mandatory modules: October 31, 2026 —over one year from the document's date. --- Part IX. Employee Data Map May 2026: What Is Stored and Where It Is Transferred The WT Law LLP employee personal data processing map, prepared in May 2026 (a separate document from the client data map), discloses what exactly the firm stores on its ~10 employees and where it transfers that data. | Data Category | Stored? | Transferred Outside EEA? | |---|---|---| | Contact details (personal and work) | Yes | Yes | | Date of birth | Yes | Yes | | Photographs | Yes | Yes | | Identity documents (passports) | Yes | Yes | | Employment contracts | Yes | Yes | | National Insurance number | Yes | Yes | | Salary and bonus information | Yes | Yes | | Pension data | Yes | Yes | | Tax data (HMRC, P45) | Yes | Yes | | Medical data | Yes | No | | Disability data | Yes | No | | Bank account details | Yes | No | | Ethnicity | Yes | No | | Disciplinary records | Yes | — | NI numbers, passport data, salaries, photographs, and tax data of all employees are transferred outside the EEA . The specific destination countries are not stated in the document, and the legal bases for cross-border transfers are not disclosed. Exit interviews: 0 records. The document structure includes a section for storing exit interview information. Number of records— zero . The firm does not conduct exit interviews. CCTV in the office does not belong to the firm: video surveillance is controlled by the building landlord— United Embroidery Limited , retention period for recordings is 30 days. --- Part X. WT Law LLP: Structure and Management The firm's staff list (dated March 2, 2026) and organigram reveal the full structure of the firm at 3rd Floor, 46 Aldgate High Street, London EC3N 1AL. Composition—11 people: | No. | Name | Position | Practice Area | Start Date | |---|---|---|---|---| | 1 | Andrew Wong | Managing Partner / Member / SRO | Property | 03/12/2009 | | 2 | Janak Bakrania | Partner | Property | 15/10/2014 | | 3 | Malachy McDermott | Consultant Solicitor | Property | 01/02/2011 | | 4 | Albert Joia | Consultant Solicitor | Litigation | 28/04/2011 | | 5 | Trevor Bond | Paralegal | Private Client & Property | 21/04/2011 | | 6 | Gnanachandran Aravinthan (Aran) | Accounts Manager | Accounts | 10/2010 | | 7 | Natalie Ip | Consultant Solicitor | Property & Family | 01/07/2019 | | 8 | Jocelyn Chow | Consultant Solicitor | Property | 18/08/2020 | | 9 | Waihar Lam | Consultant Solicitor | N/A | 21/10/2020 | | 10 | Dyska Prayag | Paralegal | Property | 01/04/2026 | | 11 | Tamara Khalil | Solicitor | Property | 04/08/2025 | Concentration of power in one person. The June 2026 organigram shows Andrew Wong's full list of roles: > Managing Partner / COLP / COFA / MLRO / MLCO / DPM Six key regulatory and management roles simultaneously: - COLP — Compliance Officer for Legal Practice (responsible for SRA standards compliance) - COFA — Compliance Officer for Finance and Administration (financial compliance) - MLRO — Money Laundering Reporting Officer (NCA reporting) - MLCO — Money Laundering Compliance Officer (AML compliance) - DPM — Data Protection Manager/Monitor (personal data protection) According to the Lexcel AMV2 Assessment dated June 2, 2026 , the firm had 500 open client matters at the time of review. Of the 11 listed employees, only 6 fee earners are actively handling cases. --- Part XI. WT Law LLP Claims History: The Full Picture A comparison of two sources—the report from insurance broker Howden Insurance Brokers (April 2026) and the QBE/DWF claims register prepared on May 7, 2025, at the firm's request—reveals the complete history of claims against WT Law LLP over the past seven years. Complete claims register (QBE Insurance Europe Limited): | Year | QBE Policy | Claimant | Notification Date | Status | Paid | |---|---|---|---|---|---| | 2019 | QGL35882 | M\ \ \ \ \ \ \ I\ \ \ \ \ \ \ \ \ \ | 14 Oct 2019 | Closed | £0 | | 2021 | QGL37742 | M\ \ \ R\ \ \ A\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ | 27 Sep 2021 | Closed | £0 | | 2024 | QGL41056 | HOI WAN LAM | 22 May 2024 | Open | £0 | Claims for 2020, 2022, 2023, 2025: none. Thus, over the firm's history, three professional liability claims have been recorded. Claimant names for the 2019 and 2021 policies are partially redacted in the QBE document—notation "M\ \ \ \ \ \ \ I\ \ \ \ \ \ \ \ \ \ " in the first case and "M\ \ \ R\ \ \ A\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ " in the second. Both matters were closed with zero payouts. Current open claim—HOI WAN LAM: | Parameter | Data | |---|---| | Claimant | HOI WAN LAM | | Status | Open | | Date per QBE | 22 May 2024 | | Date per Howden | 14 May 2024 | | Last Updated (Howden) | 30 December 2025 | | Paid | £0 | | Reserved | £0 | The discrepancy between notification dates (14 vs. 22 May 2024) indicates the broker was notified 8 days before the insurer. As of April 2026, the claim has been open for nearly two years with no movement on the account—no payments, no reserves set aside. Notably: in the June 2026 Annual Risk Review , Andrew Wong as Managing Partner stated: " No claims/notifications this year "—thereby specifically emphasizing that in the current insurance year (2025/26) there have been no new notifications, while the Hoi Wan Lam claim remains open under the previous policy. --- Part XII. AML Audit and File Reviews: Documented Breaches AML Audit, June 2, 2025 An internal AML audit dated June 2, 2025 —an independent review of WT Law LLP's anti-money laundering procedures under the Money Laundering Regulations 2017. Auditors: - Internal Auditor: Janak Bakrania (Partner, WT Law LLP) - External Support: Priya Patel (Managing Director, Candor Group Limited)—qualified solicitor, 17+ years of practice, 14+ years in AML consulting for law firms Documented findings and recommendations: | Area | Audit Finding | |---|---| | AML Training | Some staff have not completed training in the last 12 months | | Sanctions update (LSAG) | Training not conducted | | MLRO reporting to partners | Insufficiently detailed | | MLCO reporting | Requires improvement | | SAR reports to NCA | "No recent reports have been made" | The audit was signed by Janak Bakrania as the "independent" auditor—despite him being a partner of the same firm. The SRA AML inspection took place in August 2024 . As of the June 2026 Annual Risk Review: over the last 12 months, NCA reports— zero ; AML register— no entries . File Review 2026 (Candor Group, March 31, 2026) A quarterly file review by Candor Group for January–March 2026, completed on March 31, 2026. Fee earners reviewed: Andrew Wong, Janak Bakrania, Tamara Khalil, Malachy McDermott, Albert Joia, Natalie Ip, Trevor Bond, Jocelyn Chow. Key breaches: | Breach | Details | |---|---| | 9 files not provided | Of 20 selected files, 9 were never submitted by staff for review by March 31 | | SOF/W form | Not all fee earners use the client source of funds/wealth form | | Sanctions check results | Not always properly documented in the file | | Terms of Business | Last updated— May 2024 , requires revision (Fraud info, FSCS update, AI reference) | | SAR Q4 2025 | 0 SAR reports received and submitted for Q4 2025 | Correction deadline: April 27, 2026 . Next file reviews—June 2026. Official Assessor Criticism: 8 AML Audit Breaches In June 2025, the Lexcel assessor raised eight formal critical points regarding the firm's AML audit and requested official clarifications. The response to these points was prepared and signed by Janak Bakrania on June 19, 2025. | No. | Assessor Comment | |---|---| | 1 | Audit report not signed or dated | | 2 | Report lacks reference to LSAG methodology | | 3 | Some staff have not completed mandatory AML training | | 4 | Structural oversight issue: the firm has one owner—independent control is impossible | | 5 | Report does not state the number of files reviewed | | 6 | List of documents reviewed not disclosed | | 7 | No interviews were conducted with staff members | | 8 | No link between audit and internal risk management meetings | In other words, the AML audit—a review on which compliance with the Money Laundering Regulations depends—was conducted without a single conversation with staff. And this was officially reported to the regulator. The response was signed by the same Janak Bakrania who was the "independent" internal auditor—and simultaneously a partner of the same firm. --- Who This Matters To Clients of WT Law LLP If you provided the firm with bank statements, credit reports, or personal documents for real estate transactions—you have no guarantee they were destroyed after the matter was closed. According to the data map, the retention period is 6 years, and destruction is at the firm's discretion. Clients Whose Data Was Transferred Outside the EEA The data map explicitly indicates that client data is "sent outside the EEA: Yes" across all practice categories. Neither the specific destination countries nor the legal bases for cross-border transfers are stated in the document. Anyone Using Conveyancing Solicitors A real estate transaction requires providing your solicitor with: passport, bank statements, NI number, source of funds, tax documents. All of this is stored across multiple interconnected systems—some of which belong to third-party providers.
Leak Data
Jul 9, 2026
Published
Jul 9, 2026
Threat Group
settra
ransomware group
View full group profile →