DPP Law, a firm in the United Kingdom, didn’t think a data theft was worth reporting to the authorities. Now, it’ll have to pay a £60,000 ($80,000) fine – unless its appeal is successful.
According to the UK’s Information Commissioner’s Office (ICO), the law firm was targeted in a cyberattack almost three years ago. The hit led to highly sensitive and confidential personal information being published on the dark web, the agency added.
A third-party consultancy determined that the criminal used brute-force tactics to gain entry to an infrequently used administrator's account that lacked multi-factor authentication.
The hack was exploited to access a legacy case management system and steal 32GB of data, including private details about identifiable individuals.
This would be bad enough, the ICO said in a statement, which says that DPP Law “failed to put appropriate measures in place to ensure the security of personal information held electronically.”
However, the company also only became aware of the incident when the National Crime Agency contacted it to tell it that information relating to its clients had been posted on the dark web.
“DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it,” said the ICO in the announcement that the firm has been fined £60,000.
The company’s carelessness is especially unfortunate because DPP specializes in law relating to crime, military, family fraud, sexual offences, and actions against the police. This sort of data is highly sensitive.
“Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorized access, “ said Andy Curry, interim director of Enforcement and Investigations at ICO.
“Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”
Your email address will not be published. Required fields are markedmarked