UK Law Firm Fined £60,000 for Ransomware Data Breach

The Information Commissioner’s Office (ICO) in the United Kingdom has imposed a £60,000 fine on DDP Law, a law firm based in Liverpool, due to violations of the General Data Protection Regulation (GDPR) linked to a ransomware attack in 2022. The breach resulted in the exposure of sensitive client data, including case details.

According to a statement from the ICO, the firm failed to take adequate measures to safeguard customer information, leading to unauthorized access. “Our investigation uncovered deficiencies in DDP’s security protocols that rendered their data susceptible to breaches,” commented Andy Curry, the interim director of enforcement and investigations at the ICO.

During the attack, hackers accessed 32.4 gigabytes of data and subsequently leaked it on the dark web, impacting 791 individuals and containing sensitive information about 306 clients, including personal DNA testing details along with information on minors and victims of sexual crimes.

The ICO’s investigation unveiled several security missteps contributing to the breach. DDP Law’s continued use of an outdated high-privilege user account, compounded by a delay of 43 days in reporting the breach to the ICO, raised significant concerns. Under GDPR, organizations are mandated to report breaches within a 72-hour window.

The agency further noted that DDP learned of the breach through the National Crime Agency, which identified the leaked information on the dark web. “Data protection is a legal obligation, not optional. This fine serves to emphasize that failing to protect entrusted information carries severe financial and reputational repercussions,” Curry asserted.

The cyber attack specifically targeted DDP Law by compromising an end-user device, subsequently escalating access through a SQL user account that lacked multi-factor authentication. An investigation revealed that DDP’s firewall did not flag any suspicious activity a day post-incident, and crucially, the SQL user account remained operational in their network despite the application being retired in 2019.

Moreover, DDP was not aware of this account’s existence and did not perform regular risk assessments regarding their IT systems, exacerbating vulnerability. The ICO’s findings indicated that the firm’s negligence in implementing suitable technical and organizational controls amounted to a clear security breach.

While DDP Law retains the right to appeal the fine, the firm has not yet responded to inquiries from Information Security Media Group regarding the incident. The implications of this breach underscore the ongoing challenges faced by organizations in navigating cybersecurity risks and compliance with GDPR regulations, highlighting the necessity for robust data protection frameworks.