A Hampshire law firm has been reprimanded by the data watchdog after hackers were able to access client details because of insufficient security measures. 

Levales Solicitors LLP, which specialised in criminal and military law, was found by the Information Commissioner’s Office to have failed to ensure the confidentiality of its processing systems.

An 'unknown actor' had accessed the firm’s secure cloud-based server and later published the data on the dark web. The material stolen included names, addresses, national insurance numbers, prisoner numbers and health status of clients.

In total, 8,234 UK data subjects were affected. Of these, 863 were deemed to be at ‘high-risk’ of harm or detriment due to the special category of data including data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’.

Read more

The ICO said Levales had breached regulations requiring that organisations to ‘ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services’.

Levales did not have multi-factor authentication (MFA) for the affected domain account and relied on computer prompts for the management and strength of passwords. The hackers were able to gain access to the administrator level account through compromised account details, and the firm has not been able to confirm how these were obtained.

The ICO said multi-factor authentication is a ‘basic measure’ which firms processing personal data would be expected to implement.

The commissioner added: ‘Levales Solicitors LLP did not implement appropriate technical and organisational measures to ensure their systems were secure. Levales outsourced their IT management to a third party and were unaware of security measures in place at the time of the incident, such as detection, prevention, and monitoring.

‘Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.’

The firm said it had taken remedial steps in the light of the incident. This includes the introduction of MFA for all user accounts, updated service contracts with third party providers, and a complete review of existing systems.

Given these changes, the ICO said a reprimand was an appropriate penalty.