Dark web data leak: firm fined following breach
Jonathan Friend, UK and EMEA lead senior privacy counsel at Wise, discusses an incident where a practice’s inadequate security measures led to client data being published on the dark web – and resulted in a £60,000 fine.
Unsafe data
A law firm was fined by the Information Commissioner’s Office (ICO) after more than 30 gigabytes of data were compromised in a cyber attack.
A malicious digital breach in 2022 exposed the inadequacies in the firm’s security measures.
The leaked information included court bundles, documents, photographs and video evidence.
The practice handles cases ranging from crime and family fraud, to sexual offences and actions against the police. It works with vulnerable clients including children and victims.
The sensitive nature of the information had the potential to jeopardise legal proceedings. The identities of protected victims and witnesses were also exposed.
Under the UK General Data Protection Regulation (GDPR), law firms must implement security measures that are appropriate to the rights and freedoms of their clients and their data.
At the time of the breach, the organisation’s email server stopped working and staff couldn't access the IT network.
The in-house IT manager investigated the issue and found all the organisation’s files had been corrupted. An external IT supplier suggested that a ransomware incident had occurred.
The organisation reviewed its firewall and server logs, and found there had been 400 attempts to access the network over the previous four months.
In line with UK GDPR and the Data Protection Act 2018, notifiable data breaches (those which pose a risk to individuals’ rights and freedoms) must be reported to the ICO within 72 hours of discovery.
However, the organisation stated it did not believe data had been compromised, so did not report the breach.
41 days after the incident, the National Crime Agency (NCA) informed the firm that client data had been published on the dark web.
Two days later, the firm reported the incident to the ICO.
What is the dark web?
The dark web is a hidden part of the internet that can only be accessed with specialised software.
Heavily encrypted networks mean it is anonymous and difficult to track activity.
Although it is not illegal, it is a place where illicit activity can be carried out.
It’s used by journalists, whistleblowers and hackers for its secure communication and anonymity.
Upon investigation, the ICO discovered an admin account for an old case management system had been exploited to facilitate the attack.
This case management system had been out of service for three years but was still operational for data retention purposes.
However, the relevant staff at the organisation did not know the password for the account and could not reset it.
The account also lacked multi-factor authentication (MFA).
Despite only needing access to a single server, the account had unrestricted access across the firm’s entire network.
This was the weak link in the security system that allowed the cyber criminals to access the network.
In total, 791 data subjects were affected by the breach. Several individuals contacted the firm claiming professional negligence linked to the incident.
Upon learning that their details had been compromised, these individuals reported feeling distressed, experiencing a loss of control of their data, and fearing the potential for fraud.
Regulatory infringements
The ICO’s investigation declared that the organisation had violated:
- article 5(1)(f) UK GDPR: “personal data shall be processed in a manner that ensures appropriate security of the personal data”
- article 32(1): “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”
- article 32(2): “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed”
By failing to report the breach, the organisation had contravened:
- article 33(1): “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority”
The ICO ordered the organisation pay a £60,000 fine, which it deemed to be an effective, proportionate and dissuasive sanction for failing to protect the highly sensitive personal data involved in the leak, which included privileged data.
Reducing the risk of cyber attacks
Good cyber hygiene is essential for protecting against ransomware.
These attacks are rarely the result of sophisticated hacking: they usually succeed because of simple things like weak passwords, outdated software or falling for phishing emails.
Remote services that aren’t properly secured can act as open doors into a company’s network, leading to serious disruption and damage.
Implementing multi-factor authentication (MFA) is a key defence for safeguarding user credentials.
However, as attack techniques evolve, it’s important to stay informed about methods that try to bypass MFA and apply appropriate controls based on your risk assessment.
To further reduce risks, organisations should invest in regular security training for staff, maintain secure and tested backups, and proactively manage systems to detect and respond to threats early.
By taking these steps, you can significantly lower the chances of becoming a cyber victim.
Your ethical obligations
Safeguarding data is essential – particularly in a digital age.
It is important for firms to have appropriate infrastructure to protect sensitive and privileged client information.
Firms must make sure they follow UK GDPR, and solicitors must ensure that they abide by the guidelines.
This case highlights the importance of identifying vulnerabilities that could be exploited.
The ICO offers guidance on guarding against malware and ransomware and on how to choose appropriate security measures, depending on the sensitivity of data firms hold, which can help firms keep client data safe.
The case also shows the importance of understanding and following the ICO’s notification requirements in the event of a data leak.
Mitigating your risks
As the membership body representing solicitors in England and Wales, we provide guidance for our members and their firms.
This includes various resources and tools to help mitigate risks. Explore our: