Criminal defence firm Tuckers Solicitors has been fined £98,000 after failing to secure sensitive court bundles that were later published on the dark web and held to ransom by organised criminals. 

The information commissioner found that a ransomware attack on the national firm resulted in the encryption of 972,191 files, of which 24,712 related to court bundles.

iStock-1282840319

Around 972,000 files were encrypted during the cyber-attack

Source: iStock

Of the encrypted bundles, 60 were taken by the attackers and then posted in underground data marketplaces. 

Of these, 15 related to criminal court proceedings (most of which were concluded) and 45 involved civil proceedings. The bundles included a comprehensive set of personal data with medical files, witness statements and names and addresses of witnesses and victims relating to crimes such as rape and murder. Some clients whose details were shared were vulnerable in terms of their mental or physical wellbeing.

The ICO said Tuckers became aware on 24 August 2020 of the ransomware attack on its system and determined the following day that the attack had resulted in a personal data breach. On 25 August, the firm reported the breach and shut down the system, preventing any further possible authorised access.

The decision notice said: ‘The commissioner considers that Tuckers' failure to implement appropriate technical and organisation measures over some or all of the relevant period rendered it vulnerable to the attack.’

The ICO made clear that while primary culpability for the incident rested with the attacker, the firm had given them a ‘weakness to exploit’ and was responsible for the protection of personal data. The firm had not used multi-factor authentication for remote access to its systems, despite this being recommended since 2018.

The ICO said this extra protection was a ‘comparably low-cost preventative measure which Tuckers should have implemented’, which would have substantially increased the difficulty of an attacker entering its network. Entry could have been gained through the exploitation of a single username and password, and the Tuckers system was exposed to cyber-attacks because of the lack of multi-factor authentication. 

Tuckers admitted to investigators that personal data stored on the archive server subject to the attack had not been encrypted as a precaution. This might not have prevented the attack but would have mitigated the risk posed.

The ICO said infringements to data protection rules showed that the firm’s approach to data protection compliance ‘was not of an appropriate standard’. 

In mitigation, the ICO accepted that Tuckers proactively sought to address the security concerns and engaged with third party experts to bolster its systems. MFA access was implemented to all remote access and mandatory training provided for all staff. The firm has automated the deletion of personal data on its case management system on the expiry of the retention period and transferred all client data to a more secure system. Testing is regularly carried out and all critical and high-risk issues remedied.

In a statement, the firm said: ‘Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available.

‘We have cooperated in full with the ICO and City of London Police in their investigation. The commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker.

‘But for the attacker’s criminal actions, regardless of the state of the security, the breach would not have occurred. Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system.’

 - A questionnaire to help law firms and chambers understand information security risks will be launched at the Law Society's annual Risk and Compliance conference on 25 March.

 

This article is now closed for comment.