Not sure IT has a handle on this

A criminal law firm has been fined £98,000 after it failed to secure sensitive court files which were posted on the dark web, following a ransomware attack.

In August 2020 Tuckers was targeted by hackers who encrypted 972,191 files, including 24,712 court bundles. The attackers exported 60 case files (15 criminal proceedings and 45 civil matters) and stuck them on the dark web. Only one of the criminal cases was ongoing as the rest of the cases had concluded. The civil matters were a mixture of archived and live cases.

The personal data published on the dark web included sensitive medical information; details of alleged crimes; and names and addresses of witnesses and victims from rape and murder trials.

Tuckers reported the breach and the Information Commissioner's Office (ICO) investigated the matter. While the commissioner stated that the hackers were primarily culpable, it deemed that they had exploited "negligent security practices" by the firm. Tuckers had not used multi-factor authentication for remote access to its systems, and had also failed to apply a security patch.

"Tuckers' failure to implement appropriate technical and organisation measures over some or all of the relevant period rendered it vulnerable to the attack," said the ICO, and found the firm had breached GDPR,

In mitigation, the commissioner noted that Tuckers had co-operated fully with its investigation and had taken steps to contact those affected by the breach. However, the ICO stated that the firm was responsible for the protection of personal data and fined the firm £98,000. 

“Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available,” the firm said in a statement. 

“Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system,” the firm added.

Of course, it is not the first time a firm has succumbed to a cyber attack.

In 2017, a cyber gang crippled DLA Piper's communication network for over two days. The hackers asked the firm to pay an unspecified wedge of bitcoin, but RollOnFriday understands that the firm refused to cough up. In 2020 a ransomware gang claimed that it was auctioning a media law firm's celebrity client files. Other hackers have merely forced law firms to sell diet pills, advertise busty brides and flog Viagra.

The fine against Tuckers "should act as a reminder," said Dan Davies, Chief Technology Officer at Maintel. "The large amount of capital and sensitive data legal firms have access to, makes them the perfect target for ransomware attacks. While organisations cannot stop every attack, they need to understand how attacks occur and put in place the appropriate defences to protect what is often their most valuable asset, data.” 

Tip Off ROF


Experienced Legal IT Professional 22 March 22 07:37

Sadly the legal firms I know are vulnerable to this regardless of size. I put this down to 1) Institutional incompetence within legal IT, 2) senior IT managers are not IT professionals transitioning to management roles, rather MBA types more comfortable in the partners lounge, 3) they recruit CVs with household names not people and 4) IT isn’t and never will be seen as a core part of the industry, just an unfortunate cost for things they don’t understand. 

Related News