ICO fines City Law firm £98,000 for data breaches following ransomware attack

Security measures insufficient

The UK Data protection authority, the Information Commissioner’s Office (“ICO”), has fined Tuckers Solicitors £98,000 for multiple data breaches relating to the disclosure of their client’s court documents which were published on the dark web. This followed a ransomware attack by a hacker which resulted in 972,191 files being stolen from the firm.

The ICO has said that the firm of solicitors breached Article 5(1)(f) of GDPR by failing to have adequate cybersecurity measures in place to protect their client’s data. In the report, the ICO noted that the hacker had installed various tools on to the firm’s system which allowed them to create their own account to access the system.

The hacker was assisted by the switch to remote working and was able to infiltrate an app that the firm were using to facilitate working from home arrangements. However, in the eyes of the ICO, the app was not sufficiently secure, as it did not have a multi-factor authentication (“MFA”) function. 

ICO’s decision

The ICO concluded that, “taking into consideration the highly sensitive nature of the personal data that Tuckers was processing… Tuckers should not have allowed access to its network using only a single username and password”. It is now widely regarded amongst Data Protection Authorities that single factor authentication, such as a single username and password, is bad practice and not an adequate cybersecurity tool.

In addition to insufficient authentication tools, the ICO found that the slow pace at which software vulnerabilities were patched (there was an intervening five month period between the patch being released in January 2020 and Tuckers applying the patch in June 2020) and a failure to encrypt personal data contributed to their GDPR breach. 

Lessons to learn

The recent fine and report by the ICO demonstrates the increased vulnerability of clients’ data following the switch to regular remote working. It is important that the systems in place to facilitate remote working are adequate to protect data and that organisations monitor them regularly to ensure that any updates which might be required can be actioned quickly. One way to ensure compliance is to implement an MFA function for employees when accessing the company system.

Unfortunately for Tuckers, the system they had in place was not sufficient to prevent a data breach and they were slow to action the patch required to cover the software vulnerabilities in their system.