A UK law firm has been fined after failing to report a cyber attack, claiming it didn’t think it constituted a data breach.
The Information Commissioner’s Office (ICO) has hit Merseyside-based DPP Law with a £60,000 penalty for the 2022 hack, which saw sensitive personal data leaked on the dark web.
A lack of multi-factor authentication (MFA) on a rarely-used administrator account allowed hackers to gain access to its network and steal large volumes of data.
With DPP specializing in law relating to crime, military, family fraud, sexual offences, and actions against the police, it held both highly sensitive and special category data, including legally privileged information with private details about identifiable individuals.
“Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access,” said Andy Curry, the ICO’s interim director of enforcement and investigations.
“In publicizing the errors which led to this cyber attack, we are once again highlighting the need for all organizations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.”
The attack occurred through a brute force attempt, giving hackers access to an administrator account that was used to access a legacy case management system.
According to the ICO, this likely occurred after an end-user laptop was compromised and subsequently authenticated onto the network. The attackers were then able to move laterally across DPP’s network and exfiltrate around 32GB of data.
However, DPP only discovered this when it was contacted by the National Crime Agency (NCA), telling the firm that information relating to its clients had been posted on the dark web.
Even after this, DPP Law didn’t contact the ICO for another 43 days – when it should have done so within 72 hours. The firm justified its decision by claiming it didn’t think the loss of access to personal information constituted a personal data breach.
After an analysis of log files by a third party consulting firm, it seemed that brute force attempts on DPP’s network were being made as early as 19 February 2022, and that there were 400 attempts to gain access to the network.
However, when DPP reviewed firewall and server logs, it concluded that no data had been exfiltrated – despite the fact that, at the time, the firm’s firewall logs didn’t record egress data flows, making it impossible for DPP to tell whether data had been exfiltrated or not.
“Our investigation demonstrates we will hold organizations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident,” warned Curry.
“Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
