The Lexicology website has posted an article on 11-Apr-22 outlining the penalty action taken by the UK’s Information Commissioner against law firm Tuckers.  The article is useful as it highlights an unprecdented step from the regulator where they indicate that lapses in cyber-hygiene would warrant a fine in this case.

According to lexicology: “Recent action by the Information Commissioner’s Office (ICO) makes clear that protecting the public from ransomware attacks is a key priority. This demonstrates a pragmatic approach by the ICO, as the National Security Centre considers ransomware the biggest cyber threat facing the UK. The ICO recently issued its first ransomware related fine, to Tuckers Solicitors LLP (Tuckers) for failing to adequately mitigate the risk of a ransomware attack, and days later published guidance for data protection compliance in relation to ransomware attacks (the Guidance).

Tuckers fine

On 24 August 2020 Tuckers, a criminal defence law firm, became aware of a ransomware attack on its systems, which resulted in the encryption of 972,191 individual files, of which 24,711 were court bundles related to Tuckers’ clients. 60 court bundles were exfiltrated by the attacker and published on the dark web.

On 10 March 2022, the ICO fined Tuckers £98,000 for breach of Article 5(1) GDPR, which requires that personal data is processed lawfully, fairly and in a transparent manner. This was the first time the ICO has issued a fine relating to a ransomware attack.

In its penalty notice, the ICO outlined specific deficiencies, including the failure to put in place sufficient controls around accessing personal data, and the failure to appropriately manage ‘vulnerability patches’ within the organisation.”

The key areas of criticism were:

  • Failure to implement multi factor authentication (MFA), described by the ICO as a comparatively low cost preventative measure, particularly bearing in mind the sensitive level of data processed by Tuckers;
  • Failure to implement patching in accordance with industry guidance including ISO27002 and the NSCS Cyber Essentials recommendations (which recommend that patches rated as “high” or “critical” should be applied within 14 days); and
  • Failure to encrypt personal data following “appropriate technical measures”.

Click the button below to read more.