TESTIMONIALS

“Received the latest edition of Professional Security Magazine, once again a very enjoyable magazine to read, interesting content keeps me reading from front to back. Keep up the good work on such an informative magazine.”

Graham Penn
ALL TESTIMONIALS
FIND A BUSINESS

Would you like your business to be added to this list?

ADD LISTING
FEATURED COMPANY
Case Studies

ICO fines law firm for data on dark web

by Mark Rowe

The data protection regulator the ICO (Information Commissioner’s Office) has fined DPP Law Ltd (DPP) £60,000, after a cyber attack that led to what the watchdog called highly sensitive and confidential personal information being published on the dark web.

Offence in detail

The ICO found that one night in June 2022, DPP’s email server stopped working and staff had no access to the IT network. DPP’s in-house IT manager found that all files across its servers had been corrupted, while the firm’s external IT supplier believed that DPP had suffered a ransomware incident, despite not receiving any demands for payment. When a consultant looked into it, it appeared ‘brute force attempts’ on the company’s network dated back to February 2022. It’s likely that an end-user’s laptop was compromised. DPP did have multi-factor authentication (MFA), for connecting to its network via a VPN (virtual private network); the admin account that the cyber attacker used to gain entry, however, did not have MFA.

The cyber attacker took data off the network; and downloaded and ran an anti-virus software ‘which acted as a form of clean-up for the incident (and thus making the incident response investigation more difficult)’, the ICO reported. As for the company data, data was recoverable by off-site backups within 24 hours. “However, DPP’s systems were not operating properly for around one week leaving it unable to access the personal data it was processing. Whilst DPP staff did not have access to DPP’s case management software for eight days, DPP told the Commissioner that staff retained the ability to access, and respond to, incoming emails with no impact on client cases,” the ICO said.

The National Crime Agency (NCA) contacted Bootle-based DPP to say that three folders of DPP’s data, totalling 32.4Gb, had been published on the dark web: court bundles, PDFs, Word documents, photos and video (including police body cam footage) about to DPP’s clients and experts instructed to give evidence.

The admin account used by the attacker dated from 2001. DPP reported to the ICO that they had made attempts to change the password; but DPP did not know the password and could not reset it. A service agreement for the admin account ended in 2021. However, due to DPP’s data retention policy of six years, this system was still operational as DPP needed to access data. DPP since moved its case management, accounts and email system to a managed hosted IT, operated by its case management software supplier, which controls the IT security including use of Microsoft 365 MFA. DPP sent notifications to affected data subjects, in line with its obligations under data protection law.

The ICO noted that as the law firm specialises in criminal defence (including sexual offences), family law and civil actions against the police, DPP processes ‘highly sensitive personal data’, including about a person’s sex life, and DNA. The ICO ruled that DPP failed ‘to use appropriate technical and organisational measures to ensure appropriate security’. Although according to the law, you are supposed to notify the ICO within 72 hours of becoming aware of a personal data breach, DPP only made their notification after being contacted by the NCA. DPP said it had focused on
bringing its systems back online, and it did not believe that, in the absence of any evidence of outsider access to personal data, it had an
obligation to notify the ICO.

DPP told the watchdog that it regarded the attacked account as a supplier account which it did not consider it had any need to risk assess; it did not have its own technical resources and was “totally reliant” on IT contractors. DPP had worked alongside its suppliers to ensure it was fully compliant with Lexcel standards (to which it was accredited). Lexcel is a practice management and client care standard introduced by the Law Society of England and Wales.

What they say

Andy Curry, Director of Enforcement and Investigations (Interim) at the ICO, said: “Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access. In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.

“Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident. Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”

Related News