British law firm fined after ransomware group publishes confidential client data

Posted on by Steven

British law firm fined after ransomware group publishes confidential client data

A British law firm has been fined £60,000 ($80,000) after cybercriminals accessed the company’s case management system and published sensitive information on the dark web, something the company only learned about after being contacted by the National Crime Agency.

DPP Law, based in Bootle, was found to have breached the United Kingdom’s data protection laws by failing to “put appropriate measures in place to ensure the security of personal information held electronically.”

The Information Commissioner’s Office (ICO) stated hackers were able to access the company’s IT network by brute-forcing an infrequently used administrator account that lacked multi-factor authentication, and then using the access to move laterally across DPP’s network, pilfering over 32GB of data.

According to the ICO, as DPP specializes in “law relating to crime, military, family fraud, sexual offences, and actions against the police” it is responsible for some of the most highly sensitive and special categories of data covered under data protection laws.

Although the company realized its IT systems had been targeted by a ransomware attack in June 2022, the company initially believed no data had been stolen based on a review of its firewall and server logs, although the firewall logs did not record egress data flows and so offered no information regarding whether the hackers had pilfered anything.

DPP only became aware data had been stolen when it was contacted by the National Crime Agency to be informed that data relating to its clients had been posted on the dark web. The data included court bundles, as well as a range of other documents and media including police body camera footage.

In total, data on 306 crime clients, 225 family clients, 14 matrimonial clients, 137 clients who were taking action against the police, and 109 expert witnesses were impacted by the breach.

“791 is not an insignificant number considering the sensitivity of the personal data involved. This included highly sensitive information relating to court proceedings and DPP’s legal advice to its clients,” stated the penalty notice.

The ICO said it received a complaint from one of DPP’s clients who had been accused of sexually abusing a child. The individual was informed by the police that details of this allegation had been published online as a result of the ransomware attack.

Andy Curry, the ICO’s interim director of enforcement and investigations, said the regulator was “publicising the errors which led to this cyber attack” to highlight “the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.”

Sue Christopher, the company’s chief executive, told Recorded Future News in an email that DPP had fully cooperated with the ICO’s investigation and disagreed with the regulator’s conclusions, and would be appealing the decision.

She added that the company now holds independent certifications to assure its clients and others that it adheres to best cybersecurity practices.

The law firm has received several potential claims against it for professional negligence related to the cyber incident. Christopher did not immediately provide a statement regarding DPP’s response to these claims.

Source: The Record

Key Points

  • The law firm DPP Law has been fined £60,000 due to a ransomware attack exposing sensitive client data.
  • Hackers accessed the firm’s network by exploiting an administrator account without multi-factor authentication.
  • The breach involved more than 32GB of sensitive data, affecting 791 individuals across various legal cases.
  • The ICO indicated the need for strict security measures to protect sensitive personal information.
  • DPP Law intends to appeal the ICO’s conclusions, claiming they did not have data stolen initially.

Why should I read this?

This article highlights a serious issue regarding cybersecurity in legal firms, especially those dealing with sensitive information. With a hefty fine and potential negligence claims looming over DPP Law, it’s crucial for organisations to take note of such incidents. Staying informed about data security developments helps ensure that your own operations are secure and compliant.