ICO Issues Merseyside-Based Law Firm £60,000 Fine After Cyber-Attack

Posted on by

The UK’s Information Commissioner’s Office (ICO) has issued Merseyside-based DDP Law Ltd (DPP) a £60,000 fine following a cyber-attack which resulted in highly sensitive and confidential personal information being published on the dark web.

In its statement relating to the fine, the ICO warned that “data protection is not optional.”

The ICO found that DPP failed to put appropriate measures in place to ensure the security of personal information it held electronically.

Cyber hackers were able to gain access to DPP’s network via an infrequently used administrator account which lacked multi-factor authentication (MFA).

The ICO has previously told Infosecurity that there is no excuse for organizations failing to deploy MFA across all external connections.  

A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system.

This resulted in the attackers being able to move laterally across DPP’s network and take over 32GB of data.

The ICO noted that DPP only became aware of the data theft after the National Crime Agency (NCA) contacted the firm to advise that information relating to their clients had been posted on the dark web. 

DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to the regulator until 43 days after they became aware of it, according to the ICO.

DPP specializes in law relating to crime, military, family fraud, sexual offences and actions against the police.

The very nature of this work means it is responsible for both highly sensitive and special category data, including legally privileged information.

Andy Curry, Director of Enforcement and Investigations (Interim) at the ICO, said, “In publicizing the errors which led to this cyber-attack, we are once again highlighting the need for all organizations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.”