An asylum seeker says he is in fear for his life after hackers stole his personal data from Duncan Lewis, an immigration law firm.
Hackers penetrated Duncan Lewis's IT systems in March 2018 and threatened to publish the information they stole unless the firm paid them £3 million.
Duncan Lewis refused and within days the hackers began posting links on Twitter to files containing confidential material about the firm's clients and its employees.
The Twitter account was quickly suspended. But a few weeks later, the hackers attempted to extort money from at least one client directly.
’Dean’ (not his real name) was emailed from the work address of Nina Joshi, Duncan Lewis' Managing Director. When he opened the message he discovered it was in fact a ransom demand from the criminals.
"We hacked Duncan Lewis Law Firm few days ago", the email stated. "We picked up your email from their database. We copied all their data, all private and confidential data."
"We asked money from them for keeping their data from leaking. But they don't care about the data leaking, They refuse pay us one penny. So, We contact you directly".
The hackers told Dean that if he failed to persuade Duncan Lewis to transfer them £3 million, or if he was unable to pay them an unspecified sum of money himself, they would expose his files.
"Your lawyers don't care about you now. Save yourself now", they warned.
It was a sophisticated operation.
"I was shocked, I was in fear", Dean told RollOnFriday. "I don't have the money to pay."
Dean has been fighting for several years to avoid deportation to Nigeria. Part of his case rests on his claim that he is bisexual, and he fears that the stolen documents could endanger him if he is compelled to return to Lagos, where being homosexual can attract a lengthy prison sentence. "That's if I land in the hands of the police. Sometimes, before you get to the police, you can be killed by the mobs in the community".
Instead of replying to the hackers, Dean contacted Duncan Lewis.
In a letter seen by RollOnFriday dated October 2018, Duncan Lewis told Dean that the hackers made good on their threat and had sent other law firms involved in his case his probation records, his legal aid documents, his medical reports, a copy of his ID card, information pertaining to his alleged sexual abuse and torture, and details about his daughter including her name, school and passport photo.
It said that the opposing lawyers had promised not to look at any more files they may receive, "But there is a chance that the individual may in the future provide them to someone else."
"My life is in more danger now", said Dean. "I don't know who has access to my files."
He is also susceptible to identity fraud, for which Duncan Lewis offered Dean a year of free credit and identity monitoring.
The firm also advised him to take precautions to ensure his daughter's safety, including informing her school about the breach and asking it to limit who can pick her up from school or make contact with her.
"My daughter's life is no longer safe because I was a client of Duncan Lewis", said Dean.
"We realise this must be very worrying for you", said the firm in its letter to its former client. "We very much regret the incident took place and we apologise for it. We want to do what we can to put things right".
The firm said it had reported the incident to the SRA, the ICO and the police, and told Dean it had put in place new arrangements "to prevent this kind of thing from happening again".
Duncan Lewis declined to comment or to disclose how many clients were affected by the hack.