ICO reprimands law firm after client data ends up on dark web


Hack: Firm did not have MFA

A law firm that was hacked and had sensitive client data published on the dark web has been reprimanded by the Information Commissioner’s Office (ICO).

It said Hampshire firm Levales was unaware of the security measures its third-party IT provider had in place, and was not using multi-factor authentication (MFA).

A notice published on Friday said the breach of the law firm, which specialises in criminal and military law, “occurred after an unknown threat actor gained access to the secure cloud-based server via legitimate credentials, later publishing the data on the dark web”.

In total, 8,234 UK data subjects were affected, of which 863 were deemed to be at ‘high risk’ of harm or detriment due to the special category of data, including data about serious criminal offences. This contained details of charges, convictions, complainants and victims, as well as legally privileged information.

The ICO found that Levales did not ensure the ongoing confidentiality of its processing systems as required by article 32(1)(b) of GDPR.

“Levales Solicitors LLP did not have [MFA] in place for the affected domain account. Levales relied on computer prompts for the management and strength of password and did not have a password policy in place at the time of the incident.

“The threat actor was able to gain access to the administrator level account via compromised account credentials. Levales Solicitors LLP have not been able to confirm how these were obtained.”

The ICO said MFA was “a basic measure” it expected to see organisations processing personal data implement, regardless of risk.

Further, the firm did not implement “appropriate technical and organisational measures” to ensure its systems were secure, as required by article 32(1)(d).

The notice explained: “Levales outsourced their IT management to a third party and were unaware of security measures in place at the time of the incident, such as detection, prevention, and monitoring.

“Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.”

The ICO said it expected contracts with managed service providers to be reviewed and that “the responsibilities within the contract are fully understood to ensure the security of the data being processed is upheld”.

In deciding on a reprimand, the ICO said it took account of the remedial steps taken by Levales, such as introducing MFA for all user accounts, updated service contracts with third party providers, and a complete review of its existing systems to prioritise work and upgrades to the firewall.

In June 2023, the National Cyber Security Centre, part of GCHQ, published an updated Cyber Threat to the Legal Sector report, and last week issued tips aimed at sole practitioners and small/medium-sized legal firms to help them reduce the likelihood of becoming victims of a cyber-attack.




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


The next wave of AI: what’s really coming in 2025

The most exciting battle in artificial intelligence isn’t unfolding in corporate labs; it’s happening in the open-source community.


The rise of zero-click searches: how to ensure your content is seen

Gone are the days when simply filling your written content with keywords would see returns. The bar for content has been raised and significantly so.


The FCA is trying to get to grips with motor finance mis-selling

The FCA will be urging the Supreme Court to move as quickly as possible in relation to a key ruling on motor finance. The regulator is taking an active approach to this important issue.


Loading animation