The Information Commissioner’s Office (ICO) has fined Tuckers Solicitors £98,000 after a ransomware attack saw sensitive court bundles published on the dark web. The monetary penalty notice is available to view on the ICO’s website.
The ICO’s investigation found that the ransomware attack had led to the encryption of nearly a million files in total. Of these, 24,712 related to court bundles, 60 of which criminals then posted on dark web forums and so-called “data marketplaces.” 15 of the posted bundles related to criminal court cases, with the other 45 involving civil cases.
The bundles of data included:
- Comprehensive personal data
- Medical files
- Witness statements
- Names and addresses of witnesses and victims to crimes including murder and rape
In addition, some of the data related to individuals considered mentally or physically vulnerable.
According to the ICO, Tuckers became aware of the ransomware attack on 24th August 2020. They discovered the following day that a breach of personal data had occurred. Tuckers subsequently reported the breach to the ICO. They shut down the breached system on the same day, preventing further access from potential threat actors.
In its decision notice outlining its findings, the ICO wrote: “The commissioner considers that Tuckers’ failure to implement appropriate technical and organisation measures over some or all of the relevant period rendered it vulnerable to the attack.”
Firm not responsible for the breach, but culpable for weaknesses
While the ICO did not blame Tuckers for the incident itself, it held the firm accountable for giving potential attackers a “weakness to exploit” and said it was responsible for protecting personal data. In its investigation, the ICO found that the firm wasn’t using multi-factor authentication (MFA) to facilitate remote access to its systems, despite being recommended to do so since 2018.
The ICO said that MFA was “comparably low-cost preventative measure which Tuckers should have implemented” to reduce the risk of attackers being able to access its systems. While it is unknown how this particular attack occurred, the potential to access Tuckers’ systems with just a username and password significantly magnified the risk the firm was facing.
Tuckers admitted to the ICO’s investigators that it hadn’t encrypted the personal data held on the compromised system. Although doing so may not have prevented the attack, it could have mitigated the data breach risk by making it difficult, and maybe impossible, for hackers to access the data.
The ICO said Tuckers’ failings amounted to data protection infringements and said the firm’s approach to such matters “was not of an appropriate standard.”
ICO accepts mitigation while firm takes positive steps
However, the ICO did accept that Tuckers proactively sought to deal with the security concerns and had worked with cybersecurity experts to enhance its security. The firm is now using MFA for all remote access, and they have provided mandatory training to all employees.
In addition, Tuckers have also automated the deletion of personal data to occur upon the expiry of the relevant retention periods and now also holds all client data on a more secure system. The firm is also currently conducting regular testing of cybersecurity systems and immediately addressing any critical or high-risk issues identified.
In a statement following the announcement of the fine, Tuckers Solicitors said: “Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available.
“We have cooperated in full with the ICO and City of London Police in their investigation. The commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker.
“But for the attacker’s criminal actions, regardless of the state of the security, the breach would not have occurred. Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system.”