Information Commissioner’s Office fines DPP Law Ltd for failing to put in place appropriate security measures that could have prevented large-scale theft of sensitive, confidential data
There’s been a worrying rise over recent years in cyber attacks, in which criminals seek to steal, expose or even destroy data held by organisations or individuals. As we’ve reported before, the impacts of such attacks can be devastating.
Photo by FlyD / Unsplash
But now the Information Commissioner’s Office – the government-appointed independent body that upholds information rights in the public interest – has fined the victim of such an attack £60,000 for failing to take adequate steps to safeguard its data. The case is surely a stark warning for any organisation or individual handling personal data.
So why was the victim of an attack fined?
Established more than 35 years ago, DDP Law Ltd specialises in law relating to crime, the military, family fraud, sexual offences and actions against the police. That work means the data it handles is highly sensitive and includes legally privileged information.
In June 2022, DPP suffered a cyber attack that affected its IT systems for more than a week. The firm didn’t realise that attackers were helping themselves to more than 32GB of data and posting sensitive details related to DPP clients on the dark web. DPP only became aware of this when informed by the National Crime Agency.
Even then, the firm did not consider its loss of access to personal information to be a personal data breach, which under law require the ICO to be notified. DPP did not notify the ICO until 43 days after the firm became aware of what had happened.
In investigating what happened, a third-party consulting firm was able to show that a brute force attempt successfully gained access to an infrequently used administrator account that lacked multi-factor authentication (MFA). This was then used to access a legacy case management system, enabling the attackers to move laterally across DPP’s network and steal large volumes of data.
The ICO has now ruled that DPP failed to put in place appropriate measures to ensure the security of electronically held personal information. That data included private details about identifiable individuals, so DPP had a legal duty to ensure it was properly protected. The ICO also noted that the nature of the information held by the firm was particularly sensitive, including special category data.
Andy Curry, Interim Director of Enforcement and Investigations at the ICO, says: ‘Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access. In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.
‘Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident. Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.’
Sue Christopher, Chief Executive of DPP Law Ltd, told the Register: ‘We disagree with the conclusions reached by the Information Commissioner’s Office, and we will be lodging an appeal. DPP Law holds the Law Society quality standard, Lexcel, and is Cyber Essentials certified. This demonstrates our commitment to robust standards in both legal practice management (Lexcel) and cybersecurity (Cyber Essentials). These independent certifications are intended to assure clients and stakeholders of our adherence to best practices.’
The ICO provides a free online guide to data security, including companies’ legal obligations, and last year published a report, Learning from the mistakes of others – a retrospective review.
In related news:
Westminster unveils plans for ‘next generation strategic data platform’
Leave a Reply