The ICO penalized Liverpool-based DPP Law for multiple GDPR violations after hackers stole and leaked 32.4GB of sensitive client data online.
ICO Fines DPP Law £60,000 for Failing to Prevent Ransomware Data Breach
The United Kingdom’s Information Commissioner’s Office (ICO) has fined Liverpool-based law firm DPP Law £60,000 for a ransomware data breach that led to the exposure of sensitive client information on the dark web.
The breach, which occurred in 2022, affected 791 individuals, including 306 clients whose data contained DNA testing details, information on children, and victims of sexual offenses.
According to the ICO, the law firm failed to meet the legal requirements set under the UK General Data Protection Regulation (GDPR).
“Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorized access,” said Andy Curry, ICO’s interim director of enforcement and investigations.
Investigation Reveals Outdated Systems, Delayed Reporting, and Lack of Risk Assessment
The data breach stemmed from a number of internal failures at DPP Law. The ICO found that the firm:
- Continued using an outdated, high-privilege SQLuser account tied to an application retired in 2019.
- Did not implement multifactor authentication (MFA) for the compromised admin account.
- Lacked technical and organizational measures to safeguard sensitive personal data.
- Failed to identify risks in its IT infrastructure.
- Took 43 days to notify the ICO after becoming aware of the incident—far exceeding the 72-hour requirement under GDPR.
Alarmingly, the law firm did not detect the breach itself. It was informed by the UK’s National Crime Agency after the stolen data was discovered on the dark web.
“Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: Failure to protect the information people entrust to you carries serious monetary and reputational consequences,” Curry said.
Attack Exploited Weaknesses in DPP Law’s Security Stack
The attackers initially compromised a user’s endpoint device, then escalated access through the privileged SQLuser account, which lacked MFA. From there, they moved laterally within the network using a remote desktop machine to gain access to the firm’s case management systems.
Despite these movements, DPP’s firewall failed to detect any suspicious activity. The breach went unnoticed until external notification, indicating a critical failure in monitoring and detection capabilities.
The ICO emphasized that DPP Law did not have access to the outdated SQLuser account and made no efforts to assess the risks associated with it, despite it being active on the network.
“DPP’s failure to implement these measures constituted a failure to implement appropriate technical and organizational measures to ensure an appropriate level of security over the personal data it was processing,” the ICO said.
Law Firm May Appeal the Fine
The £60,000 fine comes with the option for DPP Law to appeal. As of now, the firm has not responded publicly to the ICO’s ruling.
This case underscores the critical importance of maintaining up-to-date systems, implementing strong access controls like MFA, and promptly reporting security incidents to regulators.
