The U.K. Information Commissioner’s Office has recently imposed a fine of 60,000 pounds against Liverpool-based law firm DDP Law for violations of the General Data Protection Regulation (GDPR) in relation to a ransomware hack and data leak that occurred in 2022. This incident exposed sensitive information, including details of the firm’s clients’ cases, putting their privacy at risk.
According to the Information Commissioner’s Office, DDP Law failed to adequately protect customer data and eliminate data breach risks, resulting in unauthorized access to sensitive information. This lapse in security practices left the information vulnerable to exploitation by hackers, leading to the exposure of 32.4 gigabytes of data, affecting 791 individuals and compromising the data of 306 clients. The stolen information included DNA testing data, details on children, and victims of sexual offenses.
The investigation by the ICO revealed several security and privacy missteps that contributed to the data breach. These included the firm’s use of an outdated account with high privileges, failure to assess the risks posed by its IT systems, and a delay of 43 days in reporting the breach to the ICO, despite GDPR requirements to report breaches within 72 hours. The law firm was only made aware of the breach after being contacted by the National Crime Agency about the leaked data on the dark web.
Andy Curry, the ICO’s interim director of enforcement and investigations, emphasized that data protection is a legal obligation and failure to protect personal information can have serious consequences, both monetarily and reputational. Curry highlighted the importance of implementing appropriate technical and organizational measures to ensure the security of personal data processed by organizations.
The hackers were able to compromise DPP Law by exploiting an end-user device and gaining access to a DPP administrator SQL user account that lacked multifactor authentication protection. They then used a remote desktop machine to infiltrate the firm’s case management systems. Despite the breach, DPP’s firewall failed to detect any suspicious activity, and the outdated SQL user account continued to run on the network, even though the service provider had retired the application in 2019.
Furthermore, DPP did not have access to the compromised account and failed to conduct adequate assessments to understand the risks posed by the system, as pointed out by the ICO. The failure to implement these security measures was deemed a violation of GDPR requirements for ensuring an appropriate level of security over personal data.
DPP Law has the option to appeal the fine imposed by the ICO. However, at the time of reporting, the firm had not provided any comment in response to requests for clarification from Information Security Media Group.
This incident serves as a stark reminder of the importance of robust data protection measures and timely response to data breaches to safeguard the privacy and security of individuals’ sensitive information. Organizations must prioritize cybersecurity practices to mitigate the risks of cyber threats and protect the data entrusted to them by their clients and customers.