Law firm fined following ransomware attack
As we all know, taking on a client’s personal information means taking on a duty of care to ensure that information is kept safe and away from threats. Investments in your firm’s cyber security is essential, leaving your ‘cyber doors’ unlocked can place your firm in a vulnerable position and keep it open to attacks. Ransomware attacks are not uncommon and when they occur, it can be costly for everyone involved- don’t risk paying the ultimate price.
An English law firm, submitted a personal data breach notification to the Information Commissioner’s Office (ICO) in 2020 following a ransomware attack on its systems which resulted in the loss of personal data of more than 60 individuals.
The ICO reviewed the circumstances of the ransomware attack and found that by delaying the installation of a software update to repair a known security issue, the law firm had given the attacker a vulnerability to exploit. Also, the law firm did not use Multi-Factor Authentication for its remote access solution and the personal data stored on the archive server that was attacked had not been encrypted.
According to the official report:
“Once inside the network, the attacker installed various attacker tools which allowed the attacker to create its own user account, which it did. The attacker used this account to execute the attack and encrypt a significant volume of personal data contained in case bundles held on the archive server within the firms network. As well as encrypting the personal data and the backups, the attacker also exfiltrated 60 court bundles and released them onto the dark web.”
In light of the volume and nature of the personal data for which the law firm was responsible, the ICO held that these data security contraventions were serious matters that justified enforcement action on the facts of this case.
The ICO concluded that the law firm contravened Article 5(1)(f) GDPR (which provides for protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures).
A penalty of £98,000 was imposed.
This case serves as a warning of the consequences of not having the necessary data security provisions in place, including up to date software, Multi-Factor Authentication access and encryption of data where appropriate.
When was the last time you commissioned a security audit?
Act now before it’s too late!