Rules Navigator

Law firm DPP Law fined £60,000 by ICO after cyber attack

One man, sitting indoors surounded by computers, hacking crime is in motion.
Photo: Getty Images

Martina Lindberg

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Hackers stole over 32GB of sensitive personal information and leaked it on the dark web.

The Merseyside-based law firm DPP Law Ltd has been fined £60,000 ($79,474) after a cyber attack in which hackers stole and published highly sensitive and confidential personal information on the dark web.

DPP Law was attacked in June 2022, and the firm’s IT systems were affected for over a week during which time hackers managed to steel over 32GB of data. A third-party consulting firm found hackers gained access through a brute force attempt to access a legacy case management system. However, the company only realised that data was stolen after being contacted by the National Crime Agency, which said that information connected to DPP Law’s clients had been found on the dark web.

DPP Law, which specializes in law connected to crime, the military, family fraud, sexual offences, and actions against the police, waited 43 days to report it to the UK Information Commissioner’s Office (ICO) after becoming aware of it. The firm said it did not consider “the loss of access to personal information constituted a personal data breach.”

ICO said, “as the information stolen by the attackers revealed private details about identifiable individuals, DPP has a responsibility under the law to ensure it is properly protected.”

Under UK GDPR Article 33(1), a personal data breach must be reported to the Commissioner within 72 hours of becoming aware of it.

Brute force

A brute force attack is where criminals use trial and error to guess username and password combinations (credentials) or encryption keys. 

Failed to have MFA

ICO found that the company failed to implement adequate measures to ensure that personal information was held securely electronically. The hackers were able to steal the information by accessing an infrequently used administrator account which did not have multi-factor authentication.

“Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access,” said Andy Curry, Director of Enforcement and Investigations (Interim).

“Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”

UK GDPR

DPP Law was found to have breached UK GDPR Articles 5(1)(f), 32(1), 32(2) and 33(1).

, , , , , , , , ,

You may also like