On 11 October 2024, the Information Commissioner’s Office (ICO) issued a GDPR reprimand to a Hampshire law firm following a data breach that affected over 8,000 individuals. Levales Solicitors LLP, a law firm specialising in criminal and military law, was reprimanded after an unknown cyber-attacker gained access to its secure cloud-based server. The attacker used legitimate credentials to infiltrate the system, eventually leaking personal data on the dark web, including, among other things, name, address, date of birth, national insurance number, criminal data, details of complainants and victims, and legally privileged information.

Ibrahim Hasan

Ibrahim Hasan

 A total of 8,234 data subjects were affected by the breach, with 863 individuals considered at high risk of harm due to the nature of the sensitive data involved. This included data related to serious offences such as murder, terrorism, sexual offences, and matters involving vulnerable adults or children.

The ICO’s reprimand focuses on the infringement of two key articles of the UK GDPR, namely: article 32(1)(b) (the need to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems); and article 32(1)(d) (the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks involved). It found that Levales failed to ensure the ongoing confidentiality of its systems, making it vulnerable to the cyber-attack (article 32(1)(b)). Several critical issues were identified by the ICO:

No multi-factor authentication (MFA): MFA, a basic yet crucial security measure, was not in place for the domain account affected by the breach. This allowed the attacker to access the system using stolen credentials. Despite its simplicity, MFA is considered one of the most effective ways to prevent unauthorised access.

Weak password management: Levales had no clear password policy in place at the time of the breach, relying instead on computer prompts to guide password strength and updates. The lack of a formalised approach to password management further exposed the firm’s systems to risk.

Unknown point of compromise: Levales was unable to determine how the attacker obtained the credentials, demonstrating a lack of sufficient oversight into how the breach occurred.

The ICO also criticised Levales for failing to implement appropriate technical and organisational security measures (article 32(1)(d)). Notably:

Outsourced IT management: Levales had outsourced its IT management but had not reviewed or updated security measures since 2012. The firm was unaware of basic security processes, such as detection, prevention and monitoring systems in place with their third-party provider.

Inadequate contract reviews: the ICO expects that organisations outsourcing services conduct regular reviews to ensure security measures are up to date and appropriate. Levales had not reassessed its IT service contract since signing it, leaving potential vulnerabilities unchecked.

The National Cyber Security Centre provides a 12-step guide on supply chain security, which advises that vulnerabilities within contracts can be easily exploited if the responsibilities and security measures between the provider and controller are not clearly defined or regularly reviewed.

Despite these failings, the ICO did acknowledge that Levales had taken remedial steps following the breach, including:

  • introducing MFA for all user accounts;
  • updating service contracts with third-party providers to ensure better security; and
  • conducting a comprehensive review of existing systems and prioritising firewall upgrades.

After taking all factors into consideration, including the remedial steps taken by Levales, the ICO decided to issue a formal reprimand under article 58(2)(b) of the UK GDPR.

This is not the first time that a law firm has been found to be in breach of GDPR. In August 2023, the ICO issued a formal reprimand to Swinburne, Snowball and Jackson. A fraudster compromised an employee Outlook email account via a spear phishing attack and interfered with payments to beneficiaries of a probate matter. The firm reported the matter to its personal data insurers and the SRA as well as the individuals affected by the breach. It notified the ICO 12 days after the breach was identified. The ICO set out its recommendations in the reprimand, including regular security assessments, a formal password policy, anti-spoofing measures and data protection training (including on cybersecurity) for all employees on a regular basis.

In 2022, the ICO fined Tuckers Solicitors LLP £98,000 for a data breach of GDPR. The fine followed a ransomware attack on the firm’s IT systems which saw the attacker encrypting 972,191 files, of which 24,712 related to court bundles; 60 of those were exfiltrated by the attacker and released on the dark web. Some of the files included special category data. Tuckers reported the breach to the ICO as well as affected individuals through various means, including social media. The ICO concluded that there were several areas in which Tuckers had failed to comply with, and to demonstrate that it complied with, the security principle under GDPR. Its technical and organisational measures were, over the period, inadequate. Among other things, the lack of MFA was highlighted by the ICO.

Firms should review their data protection and security policies and consider these steps:

  • Implement MFA for all accounts to reduce the risk of credential theft.
  • Ensure that password policies are robust and regularly reviewed.
  • Review contracts with third-party service providers to confirm that appropriate security measures are in place and understood by both parties.
  • Regularly assess and update security systems to ensure they remain effective against evolving cyber threats.
  • Document and monitor security measures, ensuring that they are tailored to the specific risks associated with the data being processed.

 Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)