A British law firm, DPP Law, was fined £60,000 ($80,000) after cybercriminals accessed its case management system. Hackers gained access by brute-forcing an infrequently used administrator account that lacked multi-factor authentication. They were able to move laterally across DPP’s network, stealing over 32GB of sensitive data, which included client documents and police footage. DPP failed to secure this information adequately, violating the UK’s data protection laws.
The breach impacted 791 individuals, including crime and family clients, expert witnesses, and individuals involved in sensitive cases.
One of the impacted clients, accused of sexually abusing a child, was informed by the police about the online publication of the data. DPP Law initially believed no data had been stolen but learned otherwise when the National Crime Agency contacted them. The breach resulted in court bundles and other sensitive media being exposed on the dark web.
The Information Commissioner’s Office (ICO) investigated the incident, emphasizing DPP’s failure to implement sufficient security measures. The ICO noted the importance of cybersecurity frameworks, especially for firms handling highly sensitive personal data, such as legal firms dealing with criminal and family cases. The law firm was criticized for not conducting a thorough review of its logs, which ultimately failed to detect the exfiltration of data at the time of the breach.
DPP Law’s chief executive, Sue Christopher, expressed disagreement with the ICO’s findings, stating the company had fully cooperated with the investigation.
The firm has since obtained independent certifications to ensure compliance with cybersecurity best practices. DPP faces potential negligence claims related to the cyber incident, though the company has not yet commented on these claims.
Reference: