British law firm fined after ransomware group publishes confidential client data

A British law firm has been fined £60,000 ($80,000) after cybercriminals accessed the company’s case management system and published sensitive information on the dark web, something the company only learned about after being contacted by the National Crime Agency.

DPP Law, based in Bootle, was found to have breached the United Kingdom’s data protection laws by failing to “put appropriate measures in place to ensure the security of personal information held electronically.”

The Information Commissioner’s Office (ICO) stated hackers were able to access the company’s IT network by brute-forcing an infrequently used administrator account that lacked multi-factor authentication, and then using the access to move laterally across DPP’s network, pilfering over 32GB of data.

According to the ICO, as DPP specializes in “law relating to crime, military, family fraud, sexual offences, and actions against the police” it is responsible for some of the most highly sensitive and special categories of data covered under data protection laws.

Although the company realized its IT systems had been targeted by a ransomware attack in June 2022, the company initially believed no data had been stolen based on a review of its firewall and server logs, although the firewall logs did not record egress data flows and so offered no information regarding whether the hackers had pilfered anything.

DPP only became aware data had been stolen when it was contacted by the National Crime Agency to be informed that data relating to its clients had been posted on the dark web, according to the official monetary penalty notice. The data included court bundles, as well as a range of other documents and media including police body camera footage.

In total, data on 306 crime clients, 225 family clients, 14 matrimonial clients, 137 clients who were taking action against the police, and 109 expert witnesses were impacted by the breach.

“791 is not an insignificant number considering the sensitivity of the personal data involved. This included highly sensitive information relating to court proceedings and DPP’s legal advice to its clients,” stated the penalty notice.

The ICO said it received a complaint from one of DPP's clients who had been accused of sexually abusing a child. The individual was informed by the police that details of this allegation had been published online as a result of the ransomware attack.

Andy Curry, the ICO’s interim director of enforcement and investigations, said the regulator was “publicising the errors which led to this cyber attack” to highlight “the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.”

Sue Christopher, the company’s chief executive, told Recorded Future News in an email that DPP had  fully cooperated with the ICO’s investigation and disagreed with the regulator’s conclusions, and would be appealing the decision. 

She added that the company now holds independent certifications to assure its clients and others that it adheres to best cybersecurity practices.

The law firm has received several potential claims against it for professional negligence related to the cyber incident. Christopher did not immediately provide a statement regarding DPP’s response to these claims.