Law firm 'didn't think' data theft was a breach, says ICO. Now it's nursing a £60K fine
- Reference: 1744814707
- News link: https://www.theregister.co.uk/2025/04/16/law_firm_ico_fine/
- Source link:
DPP Law Ltd, based in Merseyside, North West England, was attacked in June 2022. The Information Commissioner's Office (ICO) says a third-party consultancy determined that the criminal used brute-force tactics to gain entry to an infrequently used administrator's account that lacked multi-factor authentication.
This was exploited to access a legacy case management system. The miscreant then moved laterally across DPP's network and stole 32 GB of data, including private details about identifiable individuals, according to the ICO.
[1]
DPP only became aware of the theft when the National Crime Agency contacted it to say information relating to its clients had been posted on the dark web, said the ICO, adding that DPP "did not consider the loss of access to personal information constituted a personal data breach" and didn't report it to the ICO until "43 days after they became aware of it."
[2]
[3]
Sue Christopher, chief executive of DPP Law, told us that the firm fully cooperated with the ICO investigation regarding the cyberattack in June 2022. "We disagree with the conclusions reached by the Information Commissioner's Office, and we will be lodging an appeal," she said.
"DPP Law holds the Law Society quality standard, Lexcel, and is Cyber Essentials certified. This demonstrates our commitment to robust standards in both legal practice management (Lexcel) and cybersecurity (Cyber Essentials). These independent certifications are intended to assure clients and stakeholders of our adherence to best practices."
[4]UK telco TalkTalk confirms probe into alleged data grab underway
[5]Data watchdog fines Clearview AI $33M for 'illegal' data collection
[6]London council accuses watchdog of 'exaggerating' danger of 2020 raid on residents' data
[7]Cops visit school of 'wrong person's child,' mix up victims and suspects in epic data fail
In a [8]statement , Andy Curry, director of enforcement at the ICO, claimed: "Our investigation revealed lapses in DPP's security practices that left information vulnerable to unauthorised access.
"In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents."
[9]
Curry said the ICO will "hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident."
"Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences." ®
Get our [10]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z__UH7VhSZ2ySD3sB9PhuAAAA0o&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z__UH7VhSZ2ySD3sB9PhuAAAA0o&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z__UH7VhSZ2ySD3sB9PhuAAAA0o&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://www.theregister.com/2025/01/25/uk_telco_talktalk_confirms_investigation/
[5] https://www.theregister.com/2024/09/03/clearview_ai_dutch_fine/
[6] https://www.theregister.com/2024/07/17/londons_hackney_council_accuses_the/
[7] https://www.theregister.com/2024/03/01/west_midlands_police_data_protection/
[8] https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/04/law-firm-fined-60-000-following-cyber-attack/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z__UH7VhSZ2ySD3sB9PhuAAAA0o&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://whitepapers.theregister.com/
Given what a cock-up they've made in terms of how they handled the breach, and seeing as how they thought they were above the law, I'd very much like to see that paltry fine punitively increased on appeal. The ICO can go up to £8.7M - just saying...
Not as a Civil Monetary Penalty the ICO can't, as CMPs limited to £500k. Where the law allows for higher penalties the ICO would have to take them to court and have the court determine the penalty. Some other quangos (eg HSE and Environment Agency) can I believe issue much bigger penalties without resorting to the courts.
""DPP Law holds the Law Society quality standard, Lexcel, and is Cyber Essentials certified. This demonstrates our commitment to robust standards in both legal practice management (Lexcel) and cybersecurity (Cyber Essentials)."
I like this. It seems to impy that if I go to court for speeding I can use the "I can't have been speeding because I've got a driving licence" argument.
DPP Law appear to target the "compo" market, so you can infer what you like about a business of that ilk.
"Commitment" is not enough
" is Cyber Essentials certified. This demonstrates our commitment to robust standards in[...] cybersecurity "
No it doesn't. Cyber Essentials is not a "robust standard" -- it's an absolutely minimal one and its implementation is seriously shallow. It merely requires that an organisation self certifies it has implemented a bunch of basic technical stuff, although at the Plus level this is externally checked and an annual pen test is required. At neither level does it consider the management of security at all (except for patch management as a purely technical matter), so whether the implemented stuff would actually work in the face of threats is not checked. In this case (apparently), among other failures, no effective monitoring was in place, but of course Cyber Essentials doesn't require it.
When Cyber Essentials was first proposed I suggested that (at the Plus level at least) it should include assessment of security management processes, but the powers were not interested. so the idea fell flat (I suspect, because too many organisations just wing it, so a standard that included review of management processes would not have been widely adopted).
"Sue Christopher"
Nominative determinism?