An asylum seeker says he is in fear for his life after hackers stole his personal data from Duncan Lewis, an immigration law firm.

Hackers penetrated Duncan Lewis's IT systems in March 2018 and threatened to publish the information they stole unless the firm paid them £3 million.

Duncan Lewis refused and within days the hackers began posting links on Twitter to files containing confidential material about the firm's clients and its employees. 

The Twitter account was quickly suspended. But a few weeks later, the hackers attempted to extort money from at least one client directly. 

’Dean’ (not his real name) was emailed from the work address of Nina Joshi, Duncan Lewis' Managing Director. When he opened the message he discovered it was in fact a ransom demand from the criminals.

"We hacked Duncan Lewis Law Firm few days ago", the email stated. "We picked up your email from their database. We copied all their data, all private and confidential data."

"We asked money from them for keeping their data from leaking. But they don't care about the data leaking, They refuse pay us one penny. So, We contact you directly".

The hackers told Dean that if he failed to persuade Duncan Lewis to transfer them £3 million, or if he was unable to pay them an unspecified sum of money himself, they would expose his files.

"Your lawyers don't care about you now. Save yourself now", they warned.


It was a sophisticated operation.

"I was shocked, I was in fear", Dean told RollOnFriday. "I don't have the money to pay."

Dean has been fighting for several years to avoid deportation to Nigeria. Part of his case rests on his claim that he is bisexual, and he fears that the stolen documents could endanger him if he is compelled to return to Lagos, where being homosexual can attract a lengthy prison sentence. "That's if I land in the hands of the police. Sometimes, before you get to the police, you can be killed by the mobs in the community".

Instead of replying to the hackers, Dean contacted Duncan Lewis.

In a letter seen by RollOnFriday dated October 2018, Duncan Lewis told Dean that the hackers made good on their threat and had sent other law firms involved in his case his probation records, his legal aid documents, his medical reports, a copy of his ID card, information pertaining to his alleged sexual abuse and torture, and details about his daughter including her name, school and passport photo.

It said that the opposing lawyers had promised not to look at any more files they may receive, "But there is a chance that the individual may in the future provide them to someone else."

"My life is in more danger now", said Dean. "I don't know who has access to my files."

He is also susceptible to identity fraud, for which Duncan Lewis offered Dean a year of free credit and identity monitoring.

The firm also advised him to take precautions to ensure his daughter's safety, including informing her school about the breach and asking it to limit who can pick her up from school or make contact with her.

"My daughter's life is no longer safe because I was a client of Duncan Lewis", said Dean.

"We realise this must be very worrying for you", said the firm in its letter to its former client. "We very much regret the incident took place and we apologise for it. We want to do what we can to put things right".

The firm said it had reported the incident to the SRA, the ICO and the police, and told Dean it had put in place new arrangements "to prevent this kind of thing from happening again".

Duncan Lewis declined to comment or to disclose how many clients were affected by the hack.

Tip Off ROF


Anonymous 10 January 20 09:15

OK. So where was their IT security and why didn't they have cyber-insurance? Dixons have just been fined £500k. These guys also need a smacked bum for not encrypting sensitive personal data and putting in place rudimentary security.

Anonymous 10 January 20 09:41

@09:15 while you're probably right, there is nothing in this story to tell you much about their security.  It probably was (significantly) lacking but businesses with far more sophistication than a small law firm still fall victim to these attacks.  Assuming you have a job, is your business' data encrypted at rest and in transit?  Are you sure?  As for insurance, if you're suggesting that would have helped because it would have paid the ransom, (a) that's not necessarily true; (b) paying ransoms does not guarantee the data's safety; and (c) that approach only feeds the ransomware economy (and it is an increasingly mature economy). 

Most law firms need to do more, and this will be a wake up call to the few that have somehow not noticed this threat growing over the last five years or more.  But unhelpful speculation is exactly that.

Lydia 10 January 20 10:01

Good for the lawyers not to give in to the blackmail. As long as everyone stands up to it and does not get in these hackers will realise they are wasting their time. Meanwhile I would like the £300m foreign aid we paid Pakistan last year to go to the UK computer crimes investigators - we have far too much of this kind of crime at present and Action Fraud is overwhelmed.

Anonymous 10 January 20 10:53

I wonder whether we will see any comments questioning whether the blackmail actually took place, and demanding to see evidence of it?

Dearie 10 January 20 14:25

I cannot fathom why the government is not doing more to stop this sort of crime. So far it is taking the "burglary" approach of insure yourself so the police don't have to do anything. And the ICO want to point the finger and collect a nice cheque from a compliant soft target. I get that companies have to have solid measures in place, but this is starting to look like a joke. And where is our Law Society in all of this?

Anonymous 11 January 20 00:38

A medical lab company in British Columbia and Ontario was hacked last year, exposing tens of thousands of clients from the last 10 years whose ID, birthdates, and health records were stolen.  The company provided a year of credit monitoring but ID theft can surface several years after, so it's not that useful or comforting.  There's no real option to use a different lab, either - this one is the only game in town in many places. 

Anonymous 16 January 20 14:20

This is what happens when you outsource all your IT infrastructure to India and don't pay them properly

Related News