Ransomware attack leads to £98k ICO fine

March 2022

Solicitors firm failed to implement ‘adequate technical and organisational measures’

Are you using Multi-Factor Authentication? Are patch updates installed promptly? Do you encrypt sensitive data?

Reports of cyber security incidents in the UK rose 20% in the last 6 months of 2021.

These figures from the ICO, combined with the heightened threat in the current climate, provide a stark warning to be alert.

The ICO says; “The attacks are becoming increasingly damaging and this trend is likely to continue. Malicious and criminal actors are finding new ways to pressure organisations to pay.”

Against this backdrop the ICO has issued a fine to Solicitors’ firm following a ransomware attack in 2020.

The organisation affected was Tuckers Solicitors LLP (“Tuckers”) which is described on its website as the UK’s leading criminal defence lawyers, specialising in criminal law, civil liberties and regulatory proceedings.

While each organisation will face varying risks, this case highlights some important points for us all.

Here’s a summary of what happened, the key findings and the steps we can all take. For increasing numbers of organisations this case will unfortunately sound all too familiar.

What happened?

On 24 August 2020 Tuckers realised parts of its IT system had become unavailable. Shortly after IT discovered a ransomware note.

  • Within 24 hours it was established the incident was a personal data breach and it was reported to the ICO.
  • The attacker, once inside Tuckers’ network, installed various tools which allowed for the creation of a user account. This account was used to encrypt a significant volume of data on an archive server within the network.
  • The attack led to the encryption of more than 900,000 files of which over 24,000 related to ‘court bundles’.
  • 60 of these bundles were exfiltrated by the attacker and released on the ‘dark web’. These compromised files included both personal data and special category data.
  • The attacker’s actions impacted on the archive server and backups. Processing on other services and systems were not affected.
  • By 7 September 2020, Tuckers updated the ICO to say the servers had been moved to a new environment and the business was operating as normal. The compromised data was effectively permanently lost, however material was still available in management system unaffected by the attack.
  • Tuckers notified all but seven of the parties identifiable within the 60 court bundles which had been released, who they did not have contact details for.

Neither Tuckers, nor third party investigators, were able to determine conclusively how the attacker was able to access the network in the first place. However, evidence was found of a known system vulnerability which could have been used to either access the network or further exploit areas of Tuckers once in side the network.

What data was exfiltrated?

The data released on the ‘dark web’ included:

  • Basic identifiers
  • Health data
  • Economic and financial data
  • Criminal convictions
  • Data revealing racial or ethnic origin

This included medical files, witness statements and alleged crimes. It also related to ongoing criminal court and civil proceedings.

Tuckers explained to the Regulator, based on its understanding, the personal data breach had not had any impact on the conduct or outcome of relevant proceedings.

However, the highly sensitive nature of the data involved increased the risk and potential adverse impact on those affected.

Four key takeaways

The ICO makes it clear in its enforcement notice that primary culpability for the incident rests with the attacker. But clear infringements by Tuckers were found.

The Regulator says a lack of sufficient technical and organisation measures gave the attacker a weakness to exploit.

Takeaways from this case:

1) Multi-Factor Authentication (MFA)

Tuckers’ GDPR and Data Protection Policy required two-factor authentication, where available. It was found that Multi-Factor Authentication (MFA) was not used for its ‘remote access solution’.

The ICO says the use of MFA is a relatively low-cost preventative measure which Tuckers should have implemented.

The Regulator concluded the lack of MFA created a substantial risk of personal data on Tuckers’ systems being exposed to consequences such as this attack.

Takeaway: If you currently don’t use MFA, now would be a good time to implement it.

2) Patch management

The case reveals a high-risk security patch was installed in June 2020, more than FOUR months after its release.

The ICO accepts the attacker could have exploited this vulnerability during the un-patched period.

Considering the highly sensitive nature of the personal data Tuckers were handling, the Regulator concludes they should not have been doing so in an infrastructure containing known critical vulnerabilities. In other words the patch should have been installed much sooner.

Takeaway: Make sure patches are installed promptly, especially where data is sensitive.

3) Encryption

During the investigation Tuckers informed the ICO the firm had not used encryption to protect data on the affected archived server.

While the Regulator accepts this may not have prevented the ransomware attack itself, it believes it would have mitigated some of the risks posed to the affected individuals.

Takeaway: There are free, open-source encryption solutions are available. Alternatively more sophisticated paid for solutions are available for those handling more sensitive data.

Also it’s worth checking you’re adequately protecting archives to the same standard as other systems.

4) Retention

The enforcement notice reveals some ‘court bundles’ affected in the attack were being stored beyond the set 7-year retention period.

Takeaway: This again exposes a common issue for many organisations. Too often data is held longer than is necessary, which can increase the scale & impact of a data breach.

Our comprehensive Data Retention Guidance is packed with useful tools, templates and advice on tackling how long you keep personal data for.

What else can organisations do?

Clearly, we can’t be complacent and shouldn’t cut corners. We need to take all appropriate steps to protect personal data and avoid common pitfalls. Here are some useful resources to help you:

  • Cyber Essentials – The enforcement action notes that prior to the attack Tuckers was aware its security was not at the level of the NCSC Cyber Essentials. In October 2019, it was assessed against the ‘Cyber Essentials’ criteria and failed to meet crucial aspects of its requirements.

Cyber Essentials was launched in 2014 and is an information security assurance scheme operated by the National Cyber Security Centre. It helps to make sure you have the basis controls in place to protect networks/systems from threats.

Cyber Essentials – gain peace of mind with your information security
National Cyber Security Centre

  • ICO Ransomware guidance – The ICO has recently published guidance which covers security policies, access controls, vulnerability management, detection capabilities and much more.
  • DPN Data Breach Guide – Our practical guide covers how to be prepared, how to assess the risk and how to decide whether a breach should be reported or not.

You can read the full details of this case here: ICO Enforcement Action – Tuckers Solicitors LLP

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.