ICO fines City Law firm £98,000 for data breaches following ransomware attack


2 mins

Posted on 28 Mar 2022

ICO fines City Law firm £98,000 for data breaches following ransomware attack

Security measures insufficient

The UK Data protection authority, the Information Commissioner’s Office (“ICO”), has fined Tuckers Solicitors £98,000 for multiple data breaches relating to the disclosure of their client’s court documents which were published on the dark web. This followed a ransomware attack by a hacker which resulted in 972,191 files being stolen from the firm.

The ICO has said that the firm of solicitors breached Article 5(1)(f) of GDPR by failing to have adequate cybersecurity measures in place to protect their client’s data. In the report, the ICO noted that the hacker had installed various tools on to the firm’s system which allowed them to create their own account to access the system.

The hacker was assisted by the switch to remote working and was able to infiltrate an app that the firm were using to facilitate working from home arrangements. However, in the eyes of the ICO, the app was not sufficiently secure, as it did not have a multi-factor authentication (“MFA”) function. 

ICO’s decision

The ICO concluded that, “taking into consideration the highly sensitive nature of the personal data that Tuckers was processing… Tuckers should not have allowed access to its network using only a single username and password”. It is now widely regarded amongst Data Protection Authorities that single factor authentication, such as a single username and password, is bad practice and not an adequate cybersecurity tool.

In addition to insufficient authentication tools, the ICO found that the slow pace at which software vulnerabilities were patched (there was an intervening five month period between the patch being released in January 2020 and Tuckers applying the patch in June 2020) and a failure to encrypt personal data contributed to their GDPR breach. 

Lessons to learn

The recent fine and report by the ICO demonstrates the increased vulnerability of clients’ data following the switch to regular remote working. It is important that the systems in place to facilitate remote working are adequate to protect data and that organisations monitor them regularly to ensure that any updates which might be required can be actioned quickly. One way to ensure compliance is to implement an MFA function for employees when accessing the company system.

Unfortunately for Tuckers, the system they had in place was not sufficient to prevent a data breach and they were slow to action the patch required to cover the software vulnerabilities in their system. 

Key Contacts :

Piers Leigh-Pollitt

Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).

  • Partner & Compliance Officer for Legal Practice
  • T: +44 (0)118 951 6761
  • Email me

View profile

Mike Hibberd

Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.

  • Legal Director
  • T: +44 (0)118 951 6765
  • Email me

View profile

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top