Law firm fined £60,000 by ICO following cyber attack

The ICO have announced that law firm DPP Law Ltd have been fined £60,000 following a cyber attack in June 2022, that led to sensitive and personal data being published on the dark web.

The incident occurred after a brute force attack attempt granted cyber attackers access to an administrator account that was then used to access a legacy case management system. This then allowed the attackers to move over 32 gigabytes worth of data and post it on the dark web. This data included highly sensitive and special category data, which included legally privileged information. DPP Law Ltd were only made aware of this when the National Crime Agency contacted the firm to inform them that this had happened.

The incident wasn’t reported to the ICO until 43 days after they were made aware of it, as they didn’t consider that the loss of access to personal data was considered a data breach.

During their investigation, the ICO found that DPP Law Ltd failed to implement the appropriate measures to ensure that the personal data they store electronically is kept secure. This failure is what allowed the attackers to gain access to their network and take the data. Part of what made it so easy for them is that they targeted an infrequently used administrator account which had no multi-factor authentication enabled, meaning that all they needed to do was brute force the password to log in.

In their full report, the ICO state that the financial penalty of £60,000 us an “effective, proportionate and dissuasive measure”.

What can we learn from this?

The key things we can learn from this are as follows:

The importance of secuirty measures such as MFA – A major failure from DPP Law was the lack of multi-factor authentication on their administrator account. This made it much easier for the attackers to gain access.
Rarely used and legacy systems can be a point of weakness – While it is easy to forget about rarely used systems and accounts, they can often be an easy point of access for attackers. Steps such as ensuring that these accounts have the appropriate security measures in place, or have been properly decommissioned when no longer needed will help reduce this risk.
It’s almost always necessary to report a breach to the ICO – You aren’t required to report every data breach to the ICO, though it is very important that when a breach does happen, you carefully consider weather the breach is reportable. You must consider weather there is a risk to the rights and freedoms of the individuals impacted by the breach. The ICO have resources to help you determine this, such as their Self-assessment for breaches tool. Training staff to understand what constitutes as a breach will help this process be as straightforward as possible. You must also keep in mind that the breach must be reported within 72 hours of discovery of the breach.

Andy Chesterman

Andy Chesterman is the Managing Director of PRIVACY HELPER. In 2017, Andy co-founded DAMM Solutions Group, a pioneering data protection consultancy aimed at assisting companies in navigating the complexities of compliance with the new data protection legislation. This led to the creation of the Privacy Helper brand in 2019.

Andy Chesterman