Client Data Breach Leads to £60,000 Fine for UK Law Firm

The Record’s Alexander Martin reports that a UK-based law firm, DPP Law, has been fined £60,000 ($80,000) following a major breach that exposed sensitive client data on the dark web. Regulator scrutiny has been intense, and negligence claims are likely to arise.

The National Crime Agency uncovered the incident, which compromised confidential materials, including police footage and legal documents, and raised serious concerns about cybersecurity measures within legal practices.

The breach occurred in June 2022 when cybercriminals infiltrated DPP Law’s case management system via a brute-force attack on an outdated administrator account that lacked multi-factor authentication.

The attackers accessed over 32 GB of sensitive data, including court documents and body camera footage. Although the firm initially believed no data had been stolen, this assessment was based on incomplete firewall logs that failed to track outgoing data.

It wasn’t until authorities informed DPP that stolen data had been posted on the dark web that the full scale of the breach became apparent.

The Information Commissioner’s Office (ICO) found that DPP Law failed to implement appropriate electronic safeguards for client data, breaching UK data protection laws.

The breach affected 791 individuals, including clients involved in criminal, family, and police action cases. The ICO received a complaint from a client whose personal legal information was found online, leading to further damage to DPP’s reputation.

DPP has since contested the ICO’s findings and is appealing the fine, noting that it has now implemented industry-standard cybersecurity practices.

Law firms and legal departments need to maintain robust cybersecurity measures, especially when handling highly sensitive client data. Regular risk assessments, multi-factor authentication, and comprehensive logging are threshold requirements.