British law firm fined after ransomware group publishes confidential client data The Record from Recorded Future News

pppLeadershipppCybercrimeppNationstateppElectionsppTechnologyppCyber DailyppClick Here Podcastpp Free Newsletterpp A British law firm has been fined 60000 80000 after cybercriminals accessed the companys case management system and published sensitive information on the dark web something the company only learned about after being contacted by the National Crime Agency pp DPP Law based in Bootle was found to have breached the United Kingdoms data protection laws by failing to put appropriate measures in place to ensure the security of personal information held electronically pp The Information Commissioners Office ICO stated hackers were able to access the companys IT network by bruteforcing an infrequently used administrator account that lacked multifactor authentication and then using the access to move laterally across DPPs network pilfering over 32GB of data pp According to the ICO as DPP specializes in law relating to crime military family fraud sexual offences and actions against the police it is responsible for some of the most highly sensitive and special categories of data covered under data protection laws pp Although the company realized its IT systems had been targeted by a ransomware attack in June 2022 the company initially believed no data had been stolen based on a review of its firewall and server logs although the firewall logs did not record egress data flows and so offered no information regarding whether the hackers had pilfered anything pp DPP only became aware data had been stolen when it was contacted by the National Crime Agency to be informed that data relating to its clients had been posted on the dark web according to the official monetary penalty notice The data included court bundles as well as a range of other documents and media including police body camera footage pp In total data on 306 crime clients 225 family clients 14 matrimonial clients 137 clients who were taking action against the police and 109 expert witnesses were impacted by the breach pp 791 is not an insignificant number considering the sensitivity of the personal data involved This included highly sensitive information relating to court proceedings and DPPs legal advice to its clients stated the penalty notice pp The ICO said it received a complaint from one of DPPs clients who had been accused of sexually abusing a child The individual was informed by the police that details of this allegation had been published online as a result of the ransomware attack pp Andy Curry the ICOs interim director of enforcement and investigations said the regulator was publicising the errors which led to this cyber attack to highlight the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents pp Sue Christopher the companys chief executive told Recorded Future News in an email that DPP had  fully cooperated with the ICOs investigation and disagreed with the regulators conclusions and would be appealing the decision  pp She added that the company now holds independent certifications to assure its clients and others that it adheres to best cybersecurity practices pp The law firm has received several potential claims against it for professional negligence related to the cyber incident Christopher did not immediately provide a statement regarding DPPs response to these claims ppAlexander Martinppis the UK Editor for Recorded Future News He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research InitiativeppPrivacyppAboutppContact Uspp Copyright 2025 The Record from Recorded Future Newsp