ICO fines law firm £60,000 after dark web publishes client data


Cyber-crime: Firm failed to manage accounts on its server

A law firm which specialises in defending clients accused of sexual offences has been fined £60,000 after a cyber-attack saw “highly sensitive” details of 682 clients published on the dark web.

The Information Commissioner’s Office (ICO) said confidential information relating to 109 experts was also exposed.

DPP Law only became aware of the data breach when it was contacted by the National Crime Agency (NCA), and did not notify the ICO until 43 days after the cyber-attack in June 2022.

The ICO said it received two complaints from clients affected by the breach. One, accused of sexually assaulting a child, said: “I’m now a prisoner in my own home again. In fear of my life. My family’s also.” Another requested compensation to increase security at his home.

The ICO said it did not consider that DPP “acted intentionally” in committing the breaches, but they were “negligent in character”.

The firm, which has five offices in Merseyside, Birmingham and London, specialises in criminal and family law, fraud, military law, actions against the police and sexual offences.

It processed highly sensitive personal data, including “special category data” such as that relating to somebody’s sex life, DNA and allegations of criminal offences, including child sexual abuse.

In a penalty notice published yesterday, the ICO said that at 11.30am on 4 June 2022, DPP’s email server stopped working and staff lost access to its network.

The firm’s IT manager established that all files across its servers had been corrupted, while its external IT supplier believed it had suffered a ransomware incident, despite not receiving any payment demands.

DPP told the ICO that, following an analysis by external consultants, there was evidence of “brute force attempts on its network” as early as February 2022. The attacks were repeated a further 12 times and there were in total 400 attempts to gain access to the network.

The cyber-attacks targeted an administrator account for a legacy case management system.

It was “considered likely” that in June 2022 “an end-user laptop was compromised by the threat actor and subsequently authenticated onto the network”, allowing them to access the administrator account.

DPP had multi-factor authentication for people connecting to its network but not for the administrator account, as a “service-based account”.

It was believed the attacker deployed ransomware but DPP assessed that no data had been exfiltrated. The firm could not access its case management system for eight days but could deal with emails.

The NCA informed DPP on 15 July 2022 that three folders of its data, totalling 32.4GB, had been published on the dark web.

This included court bundles, PDFs, Word documents, photos and video – including police body cam footage – relating to DPP’s clients and experts. Two days later, DPP reported the breach to the ICO.

The law firm said the administrator account targeted was set up in 2001 and had unrestricted access across the network, but it “did not know the password and could not reset it”.

The password was known only to the company which set up the account, later acquired by Thomson Reuters.

The legacy case management system was taken out of service in 2019 but was still operational because of DPP’s data retention policy of six years.

Following the cyber-attack, DPP suspended the administrator account from its network and moved its entire system to a managed hosted environment. The law firm also notified those affected by attack.

The ICO said that, given the nature of the data processed by DPP, a “high level of security” should have been in place, but there were “critical failings” relating to the administrator account.

The account was “over privileged” by being given full access to the network, it was unnecessary for the firm to access it on a day-to-day basis and a risk assessment should have been carried out.

The ICO found that DPP had failed to “audit and adequately manage the accounts on its servers” in breach of the UK GDPR. Failing to notify the ICO of the data breach within 72 hours was a further breach.

Andy Curry, interim director of enforcement and investigations at the ICO, commented: “Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access.

“In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cyber security frameworks and act responsibly in putting in place robust measures to prevent similar incidents.”




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


Why better domestic abuse screening in mediation is long overdue

If there’s one thing the legal profession could do today, it would be to make domestic abuse and safeguarding training mandatory for all family lawyers and mediators.


AI in personal injury – the future

The traditional lawyer in me – and one who increasingly finds technology more confusing with each passing day – is resistant but it doesn’t take a lot to surmise that AI will likely become a very important tool.


Ten top tips for turning transparency into positivity and new clients

New SRA guidance on transparency issued last autumn – thinly disguised as continued support for COLPs, firms and individuals – was without doubt also borne out of regulatory frustration.


Loading animation
loading