ICO Fines Law Firm After Cyberattack Leaked Sensitive Data to the Dark Web
The U.K. Information Commissioner's Office (ICO) announced Wednesday that it fined DPP Law Ltd $80,000 (£60,000) after a cyberattack resulted in highly sensitive and confidential personal information being published on the dark web.
Sign up for a free preview to unlock the rest of this article
Cyberattackers grabbed 32 gigabytes of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to say information related to its clients was on the dark web, the ICO noted. Yet DPP didn't consider loss of access to personal information a data breach. As such, it didn't alert the ICO until 43 days later.
The watchdog found that DPP's failure to have appropriate measures in place to ensure that personal information held electronically was secure allowed hackers to gain access to its network. Hackers penetrated an infrequently used administrator account that lacked multifactor authentication.
The law firm specializes in cases relating to crime, military issues, family fraud, sexual offenses and action against the police, the ICO said.
The ICO said it "will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident."