The Information Commissioner’s Office (ICO) has fined a Merseyside-based law firm £60,000 following a cyber-attack that led to highly sensitive personal data being published on the dark web.
DPP Law Ltd (DPP) specialises in a number of areas of law including crime and actions against the police. It suffered the cyber-attack in June 2022 which affected access to the firm’s IT systems for over a week. The hackers were able to move laterally across DPP’s network and take over 32GB of data. DPP only became aware of this after the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not report the incident to the ICO until 43 days after they became aware of it.
The ICO found that DPP failed to put appropriate measures in place to ensure the security of personal data held electronically. This failure enabled the hackers to gain access to DPP’s network, via an infrequently used administrator account which lacked multi-factor authentication (MFA) and steal large volumes of data.
This is the second GDPR fine issued to a law firm. In March 2022, the ICO issued a fine of £98,000 to Tuckers Solicitors LLP. The fine followed a ransomware attack on the firm’s IT systems in August 2020. The attacker encrypted 972,191 files, of which 24,712 related to court bundles. 60 of those were exfiltrated by the attacker and released on the dark web.
We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to upskill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.
One thought on “ICO Issues £60,000 GDPR Fine ”