Cyber-crime: Firm failed to manage accounts on its server
A law firm which specialises in defending clients accused of sexual offences has been fined £60,000 after a cyber-attack saw “highly sensitive” details of 682 clients published on the dark web.
The Information Commissioner’s Office (ICO) said confidential information relating to 109 experts was also exposed.
DPP Law only became aware of the data breach when it was contacted by the National Crime Agency (NCA), and did not notify the ICO until 43 days after the cyber-attack in June 2022.
The ICO said it received two complaints from clients affected by the breach. One, accused of sexually assaulting a child, said: “I’m now a prisoner in my own home again. In fear of my life. My family’s also.” Another requested compensation to increase security at his home.
The ICO said it did not consider that DPP “acted intentionally” in committing the breaches, but they were “negligent in character”.
The firm, which has five offices in Merseyside, Birmingham and London, specialises in criminal and family law, fraud, military law, actions against the police and sexual offences.
It processed highly sensitive personal data, including “special category data” such as that relating to somebody’s sex life, DNA and allegations of criminal offences, including child sexual abuse.
In a penalty notice published yesterday, the ICO said that at 11.30am on 4 June 2022, DPP’s email server stopped working and staff lost access to its network.
The firm’s IT manager established that all files across its servers had been corrupted, while its external IT supplier believed it had suffered a ransomware incident, despite not receiving any payment demands.
DPP told the ICO that, following an analysis by external consultants, there was evidence of “brute force attempts on its network” as early as February 2022. The attacks were repeated a further 12 times and there were in total 400 attempts to gain access to the network.
The cyber-attacks targeted an administrator account for a legacy case management system.
It was “considered likely” that in June 2022 “an end-user laptop was compromised by the threat actor and subsequently authenticated onto the network”, allowing them to access the administrator account.
DPP had multi-factor authentication for people connecting to its network but not for the administrator account, as a “service-based account”.
It was believed the attacker deployed ransomware but DPP assessed that no data had been exfiltrated. The firm could not access its case management system for eight days but could deal with emails.
The NCA informed DPP on 15 July 2022 that three folders of its data, totalling 32.4GB, had been published on the dark web.
This included court bundles, PDFs, Word documents, photos and video – including police body cam footage – relating to DPP’s clients and experts. Two days later, DPP reported the breach to the ICO.
The law firm said the administrator account targeted was set up in 2001 and had unrestricted access across the network, but it “did not know the password and could not reset it”.
The password was known only to the company which set up the account, later acquired by Thomson Reuters.
The legacy case management system was taken out of service in 2019 but was still operational because of DPP’s data retention policy of six years.
Following the cyber-attack, DPP suspended the administrator account from its network and moved its entire system to a managed hosted environment. The law firm also notified those affected by attack.
The ICO said that, given the nature of the data processed by DPP, a “high level of security” should have been in place, but there were “critical failings” relating to the administrator account.
The account was “over privileged” by being given full access to the network, it was unnecessary for the firm to access it on a day-to-day basis and a risk assessment should have been carried out.
The ICO found that DPP had failed to “audit and adequately manage the accounts on its servers” in breach of the UK GDPR. Failing to notify the ICO of the data breach within 72 hours was a further breach.
Andy Curry, interim director of enforcement and investigations at the ICO, commented: “Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access.
“In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cyber security frameworks and act responsibly in putting in place robust measures to prevent similar incidents.”
Leave a Comment