A law firm subject to a cyber attack has been fined £60,000 for failing to ensure the security of personal information. Merseyside-based DPP Law Ltd, which specialises in criminal law and actions taken against the police, suffered the attack in 2022 when hackers gained access to its network and took more than 32GB of data.
The firm became aware of the extent of the attack when the National Crime Agency got in contact to advise that information relating to its clients had been posted on the so-called dark web.
DPP has said it disagrees with the Information Commissioner’s Office conclusions and will be lodging an appeal.
The ICO stated that DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident for 43 days, rather than the required 72 hours.
Andy Curry, director of enforcement and investigations for the ICO, said the fine should serve as a warning that data protection is not optional but a legal requirement, and that failure to protection information carries serious consequences.
‘Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access,’ said Curry. ‘In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.’
The attack happened when DPP’s email server stopped working and staff had no access to the IT network. The external IT supplier advised it was a ransomware incident, despite the lack of any payment demand. A day earlier an end-user laptop had been compromised, it was later found.
During the next week, DPP reviewed firewall and server logs and assessed that no data had been extracted. But the NCA later advised that three folders of DPP’s data had been published, including court bundles, PDFs, word documents, photos and video (including police body cam footage) relating to clients and experts instructed to give evidence.
The firm has since received five potential professional negligence claims, including from three people whose data was stolen and who say they have suffered distress, shock and anxiety.
A subsequent review found the breach had occurred through a rarely-used administrator account for an old case management system, which had been kept open to allow access but which had full administrator rights. This system was operated in accordance with Solicitors Regulation Authority guidance.
The cyber attackers were able to gain access to this system through a remote desktop machine and moved across DPP's network.
The firm stated it did not conduct a risk assessment to understand the risks associated with this account, following advice from the company that set it up. The ICO said the law requires organisations to take ‘continual and proactive steps’ including ensuring all IT systems have adequate protection.
Following the attack, DPP moved its complete case management, accounts and email system to a new host. Notifications were sent to affected data subjects.
The firm admitted it was ‘totally reliant’ on third party IT contractors and highlighted the unsophisticated nature of its internal IT function. Steps have since been taken to improve the DPP security system, although the ICO said these were not mitigating factors as they should have been done anyway.
In a statement, the firm stated it had fully cooperated with the investigation and emphasised its security credentials. 'DPP Law holds the Law Society quality standard, Lexcel and is Cyber Essentials certified,' It stated. 'This demonstrates our commitment to robust standards in both legal practice management (Lexcel) and cybersecurity (Cyber Essentials). These independent certifications are intended to assure clients and stakeholders of our adherence to best practices.'
This article is now closed for comment.
10 Readers' comments