Firm with ‘negligent’ security practices fined £100,000 after cyberattack

I’m not sure IT has mastered this

A criminal law firm has been fined £98,000 after failing to secure sensitive court records which were posted on the dark web, following a ransomware attack.

In August 2020, Tuckers was targeted by hackers who encrypted 972,191 files, including 24,712 court bundles. The attackers exported 60 files (15 criminal proceedings and 45 civil cases) and pasted them on the dark web. Only one of the criminal cases was ongoing, with the other cases completed. Civil cases were a mix of archived cases and ongoing cases.

Personal data posted on the dark web included sensitive medical information; details of the alleged crimes; and the names and addresses of witnesses and victims of the rape and murder trials.

Tuckers reported the breach and the Information Commissioner’s Office (ICO) investigated the matter. While the commissioner said the hackers were primarily culpable, he felt they had exploited “negligent security practices” by the company. Tuckers had not used multi-factor authentication for remote access to its systems, nor had it applied a security patch.

“Tuckers’ failure to implement appropriate technical and organizational measures for some or all of the affected period rendered it vulnerable to attack,” the ICO said, and found that the company had violated the GDPR,

By way of mitigation, the commissioner noted that Tuckers fully cooperated with his investigation and took steps to contact those affected by the breach. However, the ICO said the company was responsible for protecting personal data and fined the company £98,000.

“Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed with this initial finding from the ICO, relating to an attack by an international criminal organization on our system and the theft of data that was already publicly available,” the firm said in a statement.

“Following the attack, we have successfully implemented a wide range of measures to prevent the recurrence of such criminal incidents and the ICO recognizes the enhanced procedures that are now in place as we operate from a system of tip,” the company added.

Of course, this is not the first time that a company has succumbed to a cyberattack.

In 2017, a cyber gang crippled DLA Piper’s communications network for more than two days. The hackers asked the company to pay an unspecified share of bitcoin, but RollOnFriday understands that the company refused to spit. In 2020, a ransomware gang claimed it was auctioning off the files of famous clients of a media law firm. Other hackers simply forced law firms to sell diet pills, advertise busty brides, and flog Viagra.

The fine against Tuckers “should serve as a reminder,” said Dan Davies, chief technology officer at Maintel. “The vast amount of capital and sensitive data that law firms have access to makes them an ideal target for ransomware attacks. While organizations cannot stop all attacks, they must understand how attacks occur and put in place places the right defenses to protect what is often their most valuable asset, data.

Laura J. Boyer