DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK’s ICO hits criminal defense firm Tuckers Solicitors with monetary penalty after ransomware attack

Posted on March 10, 2022 by Dissent

There’s an interesting monetary penalty notice involving a UK law firm stemming from a ransomware attack in 2020 and the ICO’s investigation of their data protection and security.

The Information Commissioner announced today that it has issued Tuckers Solicitors a monetary penalty under section 155 of the Data Protection Act 2018 (“the DPA”). The penalty notice imposes an administrative fine on Tuckers, in accordance with the Commissioner’s powers under Article 83 of the General Data Protection Regulation 2016 (“the GDPR”).

The amount of the monetary penalty is £98,000.

In a 44-page notice, the IC outlines the chronology of a ransomware attack the firm experienced in 2020. In that incident, Maze threat actors encrypted files and exfiltrated 60 “court bundles.” As described in the notice, the attack resulted in the encryption “of 972,191 individual files, of which 24,712 related to court bundles; of the encrypted bundles, 60 were exfiltrated by the attacker and released in underground data marketplaces. The compromised files included both personal data and special category data.”

The bundles included a “comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals. The 60 exfiltrated court bundles included 15 relating to
criminal court proceedings and 45 civil proceedings. Of the 60 exfiltrated court bundles, the personal data was not related to just one living individual; it was likely to have included multiple individuals.”

The Commissioner found that during the period of 25 May 2018 (when GDPR went into effect) and 25 August 2020, Tuckers “failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Tuckers had posted a notice on its website in 2020 with an update. In their notice, they made it clear that there was no negotiation with the criminals who had attacked them and who then uploaded files to the internet.

Perhaps one of the most striking things about this monetary penalty notice is the specifics of what the IC found lacking in the law firm’s security. Among specific issues the notice raises, the firm was criticized for not using multi-factor authentication (MFA). Although forensics was unable to determine how Maze had gained access, the IC cited security standards for authentication and the need for more than single-factor authentication:

The Commissioner believes that the use of MFA was a comparably lowcost preventative measure which Tuckers should have implemented, with there being a number of both open and proprietary/commercial MFA solutions widely available that are compatible with [redacted].

The IC also found fault with the firm’s failure to encrypt personal data that was on the archive server.

And significantly, the IC found fault with the firm’s failure to timely patch a critical vulnerability for which a CVE had been published in January of 2020. Although it was not clear whether the attackers had exploited that particular vulnerability, it was a possibility.

While the amount of the monetary penalty is not particularly high, considering how high some penalties, can be, hopefully, other law firms and entities will take note that the ICO is drilling down into data protection to check for compliance with best practices and notices.

The full monetary penalty notice can be found on the ICO’s website (pdf).

 

No related posts.

Category: Breach IncidentsBusiness SectorCommentaries and AnalysesMalwareNon-U.S.Of Note

Post navigation

← Twitter creates Tor onion site for those encountering censorship of its clear net site
Sebastien Vachon-Desjardins Extradited to the United States to Face Charges for Dozens of Ransomware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransom →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.