A law firm that specialises in defending clients accused of sexual offences has been fined after data retrieved from a cyber-attack was published on the dark web.
The Information Commissioner’s Office (ICO) has revealed that DPP Law have incurred a £60,000 fine after details of 682 clients and confidential information relating to 109 experts were accessed and exposed by cyber criminals.
The firm only became aware of the data breach after it was contacted by the National Crime Agency. However, they failed to notify the ICO of the breach until 43 days after the attack, which took place in June 2022.
Under UK GDPR, the time limit for reporting a breach to the ICO is within 72 hours of becoming aware of it.
The regulator said it received multiple complaints from clients affected by the breach, notably one who had been accused of sexual assault against a child.
They said:
“I’m now a prisoner in my own home again. In fear of my life. My family’s also.”
Another complainant requested compensation to increase security at their home.
When considering its enforcement action, the ICO did not believe that DPP acted intentionally in committing the breaches, but they were “negligent in character.”
In the published penalty notice, the ICO stated that at 11:30am on 4th June 2022, DPP’s email server stopped working and staff lost access to its network.
The firm’s IT manager believed that every file across its servers had been corrupted, while their external IT supplier believed it had suffered a ransomware attack, despite not receiving any demands for payment.
After an analysis by an external consultant, DPP told the ICO that there were signs of a brute force entry attempt on its network, dating back as early as February 2022. A further 12 attacks occurred after this, and there was a total of 400 attempts to gain network access were made.
The attacks were centred around gaining access to an administration account for a legacy case management system.
In June 2022, it was considered “highly likely” that an end-user laptop was compromised and authenticated onto the network, allowing the attackers to access the administrator account.
Although DPP had multi factor authentication for people connecting to its network, it did not have it in place for the administrator account, as a “service-based” account.
The firm could not access its case management system for eight days but could deal with emails.
On 15th July 2022, the NCA informed DPP that three folders of data (32.4GB total) had been published on the dark web.
Among this data were court bundles, PDFs, documents, photos and videos, including police body cam footage. The firm then reported to the ICO on 17th July.
The ICO said that given the sensitive nature of the data processed by DPP, a high level of security should have already been in place. However, there were “critical failings” in relation to the administration account.
Set up in 2001, the administration account had unrestricted access across the network. The firm said it did not know the password and could not reset it. The password was known only to the company which set up the account, later acquired by Thomson Reuters.
The ICO found that DPP had failed to audit and properly manage the accounts on its server, in breach of the UK GDPR.