Company were not aware of the breach until informed by the NCA, and were unaware of duty to report to the ICO.
Merseyside-based DPP Law Ltd has been fined £60,000 by the Information Commissioner’s Office following a cyber-attack.
Following the attack, highly sensitive and confidential personal information was published on the dark web. The ICO’s investigation found DPP failed to put appropriate measures in place to ensure the security of personal information held electronically.
DPP specialises in law relating to crime, military, family fraud, sexual offences, and actions against the police. The ICO said the very nature of this work means it is responsible for both highly sensitive and special category data, including legally privileged information.
Brute Force
In the June 2022 incident, attackers were able to access the firm’s IT systems for over a week after a brute force attempt gained access to an administrator account that was used to access a legacy case management system.
This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data. Attackers also utilised an infrequently-used administrator account, which lacked multi-factor authentication, and stole large volumes of data.
DPP only became aware of the leak when the National Crime Agency contacted the firm to advise that information relating to their clients had been posted on the dark web.
As DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to the ICO until 43 days after they became aware of it.
Act Responsibly
Andy Curry, director of enforcement and investigations (Interim), said:“ In publicising the errors which led to this cyber-attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.
“Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident.
“Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
