The Information Commissioner’s Office has sent out a fresh warning to companies that handle highly sensitive and confidential personal information after fining a legal firm for failing to put appropriate measures in place to prevent a cyber attack.
Merseyside-based DPP Law specialises in law relating to crime, military, family fraud, sexual offences, and actions against the police.
The ICO said the very nature of this work means it is responsible for both highly sensitive and special category data, including legally privileged information.
However, in June 2022, DPP suffered a cyber attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system.
This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web.
DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to the ICO until 43 days after it became aware of it.
As the information stolen by the attackers revealed private details about identifiable individuals, DPP has a responsibility under the law to ensure it is properly protected.
Following an investigation, the ICO found DPP failed to ensure the security of personal information held electronically. This failure enabled cyber hackers to gain access to DPP’s network, via an infrequently used administrator account which lacked multi-factor authentication (MFA), and steal large volumes of data, which was subsequently published on the dark web
The ICO has issued DPP with a £60,000 fine for breaches of UK GDPR – only the second such fine this year, following a ruling against supplier company Advanced Computer Software Group.
ICO interim director of enforcement and investigations Andy Curry said: “Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access.
“In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.
“Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident.
“Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”
Last year, the ICO published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.
Related stories
Ransomware fine fuels security warning to all UK firms
Cock-up culture: Staff guilty of 90% of data breaches
Ransomware victims who pay up are nearly all hit again
Gamers attacked as Fortnite firm suffers data breach
UK firms braced for fresh wave of ransomware attacks
UK firms still in dark over new cyber security measures
Major brands warned over extortion after global attack
Be the first to comment on "ICO flags up MFA as law firm is hit by UK GDPR penalty"