DPP only became aware data had been stolen when it was contacted by the National Crime Agency to be informed that data relating to its clients had been posted on the dark web, according to the official monetary penalty notice. Although the company realized its IT systems had been targeted by a ransomware attack in June 2022, the company initially believed no data had been stolen based on a review of its firewall and server logs, although the firewall logs did not record egress data flows and so offered no information regarding whether the hackers had pilfered anything. A British law firm has been fined £60,000 ($80,000) after cybercriminals accessed the company’s case management system and published sensitive information on the dark web, something the company only learned about after being contacted by the National Crime Agency. The Information Commissioner’s Office (ICO) stated hackers were able to access the company’s IT network by brute-forcing an infrequently used administrator account that lacked multi-factor authentication, and then using the access to move laterally across DPP’s network, pilfering over 32GB of data. According to the ICO, as DPP specializes in “law relating to crime, military, family fraud, sexual offences, and actions against the police” it is responsible for some of the most highly sensitive and special categories of data covered under data protection laws. In total, data on 306 crime clients, 225 family clients, 14 matrimonial clients, 137 clients who were taking action against the police, and 109 expert witnesses were impacted by the breach. This included highly sensitive information relating to court proceedings and DPP’s legal advice to its clients,” stated the penalty notice.
This Cyber News was published on therecord.media. Publication date: Wed, 16 Apr 2025 12:50:17 +0000