There’s an interesting monetary penalty notice involving a UK law firm stemming from a ransomware attack in 2020 and the ICO’s investigation of their data protection and security.
The Information Commissioner announced today that it has issued Tuckers Solicitors a monetary penalty under section 155 of the Data Protection Act 2018 (“the DPA”). The penalty notice imposes an administrative fine on Tuckers, in accordance with the Commissioner’s powers under Article 83 of the General Data Protection Regulation 2016 (“the GDPR”).
The amount of the monetary penalty is £98,000.
In a 44-page notice, the IC outlines the chronology of a ransomware attack the firm experienced in 2020. In that incident, Maze threat actors encrypted files and exfiltrated 60 “court bundles.” As described in the notice, the attack resulted in the encryption “of 972,191 individual files, of which 24,712 related to court bundles; of the encrypted bundles, 60 were exfiltrated by the attacker and released in underground data marketplaces. The compromised files included both personal data and special category data.”
The bundles included a “comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals. The 60 exfiltrated court bundles included 15 relating to
criminal court proceedings and 45 civil proceedings. Of the 60 exfiltrated court bundles, the personal data was not related to just one living individual; it was likely to have included multiple individuals.”
The Commissioner found that during the period of 25 May 2018 (when GDPR went into effect) and 25 August 2020, Tuckers “failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against
unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Tuckers had posted a notice on its website in 2020 with an update. In their notice, they made it clear that there was no negotiation with the criminals who had attacked them and who then uploaded files to the internet.
Perhaps one of the most striking things about this monetary penalty notice is the specifics of what the IC found lacking in the law firm’s security. Among specific issues the notice raises, the firm was criticized for not using multi-factor authentication (MFA). Although forensics was unable to determine how Maze had gained access, the IC cited security standards for authentication and the need for more than single-factor authentication:
The Commissioner believes that the use of MFA was a comparably lowcost preventative measure which Tuckers should have implemented, with there being a number of both open and proprietary/commercial MFA solutions widely available that are compatible with [redacted].
The IC also found fault with the firm’s failure to encrypt personal data that was on the archive server.
And significantly, the IC found fault with the firm’s failure to timely patch a critical vulnerability for which a CVE had been published in January of 2020. Although it was not clear whether the attackers had exploited that particular vulnerability, it was a possibility.
While the amount of the monetary penalty is not particularly high, considering how high some penalties, can be, hopefully, other law firms and entities will take note that the ICO is drilling down into data protection to check for compliance with best practices and notices.
The full monetary penalty notice can be found on the ICO’s website (pdf).