Law Firm Fined £60,000 After Ransomware Group Publishes Client Data

A Merseyside-based law firm has been fined £60,000 by the Information Commissioner’s Office (ICO) after sensitive client information was stolen and leaked online following a ransomware attack.

DPP Law, headquartered in Bootle, was found to have failed in its duty to safeguard personal data, with the ICO ruling that inadequate cybersecurity controls left the firm vulnerable to a breach. Hackers exploited a little-used administrator account—unprotected by multi-factor authentication—to gain access to the firm’s systems and exfiltrate over 32GB of data.

The stolen information, which included court documents, expert witness reports and even police body camera footage, was later discovered on the dark web. The breach affected nearly 800 individuals, including clients involved in criminal, family and police misconduct cases.

Although DPP initially believed that no data had been removed, a lack of proper firewall logging meant it had no visibility of outbound traffic. The firm was only alerted to the breach by the National Crime Agency, which had identified leaked documents on the dark web.

“This incident involved highly sensitive information and should never have happened,” said Andy Curry, the ICO’s interim director of enforcement. “It highlights the importance of basic cybersecurity hygiene, especially in sectors handling special category data.”

The regulator revealed it had received at least one complaint from a client whose case involved allegations of child abuse. Details of the case were among those posted online by the attackers.

DPP Law said it had cooperated fully with the ICO but would appeal the ruling, stating that it now adheres to industry-recognised cybersecurity standards. The firm is also facing several potential claims for professional negligence in relation to the breach.