ICO fines law firm DPP £60,000 over a major client data breach

Merseyside-based law firm DPP has been fined £60,000 by the Information Commissioner’s Office for failing to protect the sensitive personal information of its clients held electronically.

 

Based in Bootle, DPP specialises in legal matters related to crime, military, family fraud, sexual offences, and actions against the police.

 

In a recent press release, the Information Commissioner’s Office said that in June 2022, DPP suffered a significant data security incident which affected access to the firm’s internal network for over a week. An investigation into the same revealed “that a brute force attempt gained access to an administrator account that was used to access a legacy case management system.”

 

“This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web.

 

“DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it,” reads the press release.

 

ICO added that the very nature of DPP’s work means it is “responsible for both highly sensitive and special category data, including legally privileged information. “As the information stolen by the attackers revealed private details about identifiable individuals, DPP has a responsibility under the law to ensure it is properly protected,” it said.

 

According to the information protection watchdog, the cyber security incident affecting DPP impacted about 791 individuals, including 306 crime clients, 225 family clients, 14 matrimonial clients, 137 actions against the police clients and 109 expert witnesses. “This included highly sensitive information relating to court proceedings and DPP’s legal advice to its clients,” reads ICO’s monetary penalty notice.

 

The watchdog has issued a fine of £60,000 to DPP under the UK data protection law, stating that the penalty “is an effective, proportionate and dissuasive measure.”