The Information Commissioner (ICO) announced yesterday that it has fined Tuckers Solicitors £98,000 following a ransomware attack of the practices archive server.

The attack resulted in the encryption of 972,191 individual files and 60 Court bundles containing a comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals. The 60 exfiltrated court bundles included 15 relating to criminal court proceedings and 45 civil proceedings. Of the 60 exfiltrated court bundles, the personal data was not related to just one living individual; it was likely to have included multiple individuals. Some of this data was also posted on the dark web.

Perhaps one of the most striking things about this breach is the specifics of what the ICO found lacking in the law firm’s security. Among specific issues the notice raises, the firm was criticized for not using multi-factor authentication (MFA) and not having a security standard in place such as Cyber Essentials. The ICO stated that implementing both of these security measures is comparably low cost and should have been in place.

The ICO also found fault with the firm’s failure to encrypt personal data that was on the archive server. The also ICO found fault with the firm’s failure to promptly implement security patches.
Additionally, the ICO were critical of the Tuckers records management. Data was being retained in excess of its published retention times without any lawful basis to do so. The ICO indicated that the volume of data breached would have been significantly less had the firm deleted records in line with its 7 year retention schedule. You can find the ICO full investigation report here

The important take away from this enforcement action is that the ICO have made a clear indication that they expect organisations to have certain security standards in place. If you process sensitive data and/or large volumes of data you must have MFA enabled, hold security certification such as Cyber Essentials, encrypt devices that hold data and of course have a robust records management process. It’s unlike the ICO to be so specific, so this needs to be taken seriously.

Should you wish to explore Cyber Essentials certification I would be pleased to introduce you to our IT security partner and certification body.