The UK data protection regulator has fined a leading legal practice £98,000 after security failures that enabled ransomware actors to steal sensitive information on scores of court cases.
Tuckers Solicitors, which has offices across southern England, the northwest and Midlands, describes itself as “the UK’s leading criminal defence lawyers.”
However, according to a monetary penalty notice issued by the Information Commissioner’s Office (ICO), its cybersecurity policy failed to comply with GDPR requirements for “technical and organizational measures.”
As a result, threat actors were able to breach the firm’s network, possibly by exploiting a vulnerability that went unpatched for five months and encrypting nearly one million files on an archive server.
Of these, 24,711 related to “court bundles,” 60 of which were exfiltrated by the attacker and published on an underground market.
“Tuckers stated that the bundles included a comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals,” the ICO revealed.
“The 60 exfiltrated court bundles included 15 relating to criminal court proceedings and 45 civil proceedings. Of the 60 exfiltrated court bundles, the personal data was not related to just one living individual; it was likely to have included multiple individuals.”
The ICO found that Tuckers had failed to meet its obligations under the GDPR to follow current security best practices.
In particular, it highlighted the firm’s lack of multi-factor authentication (MFA) for remote access and its failure to promptly patch a vulnerability despite a warning from the National Cyber Security Centre (NCSC) of exploitation in the wild. Strong encryption was also not applied to the personal data stored on the archive server, further undermining security efforts.
Steve Cottrell, EMEA CTO at Vectra AI, argued that without such protections in place, it would have been relatively easy for an attacker to infiltrate the network, install hacking tools and even create their own user account on the system before deploying the ransomware.
“As human-operated ransomware actors become more sophisticated, it’s vital that organizations can detect signals of malicious activity in near real-time, connecting the dots to spot attacks and act quickly,” he added.
“The key to this is making sure they have advanced threat detection capabilities. By reducing the time it takes to spot threats, providers can mitigate the impact of ransomware, stopping attacks before they become breaches.”