[BreachExchange] Firm fined almost £100,000 over ransomware attack

Thu Mar 10 10:35:00 EST 2022

https://www.lawgazette.co.uk/news/firm-fined-almost-100000-over-ransomware-attack-/5111806.article

Criminal defence firm Tuckers Solicitors has been fined £98,000 after
failing to secure sensitive court bundles that were later published on the
dark web and held to ransom by organised criminals.

The information commissioner found that a ransomware attack on the national
firm resulted in the encryption of 972,191 files, of which 24,712 related
to court bundles.

Of the encrypted bundles, 60 were taken by the attackers and then posted in
underground data marketplaces.

Of these, 15 related to criminal court proceedings (most of which were
concluded) and 45 involved civil proceedings. The bundles included a
comprehensive set of personal data with medical files, witness statements
and names and addresses of witnesses and victims relating to crimes such as
rape and murder. Some clients whose details were shared were vulnerable in
terms of their mental or physical wellbeing.

The ICO said Tuckers became aware on 24 August 2020 of the ransomware
attack on its system and determined the following day that the attack had
resulted in a personal data breach. On 25 August, the firm reported the
breach and shut down the system, preventing any further possible authorised
access.

The decision notice said: ‘The commissioner considers that Tuckers' failure
to implement appropriate technical and organisation measures over some or
all of the relevant period rendered it vulnerable to the attack.’

The ICO made clear that while primary culpability for the incident rested
with the attacker, the firm had given them a ‘weakness to exploit’ and was
responsible for the protection of personal data. The firm had not used
multi-factor authentication for remote access to its systems, despite this
being recommended since 2018.

The ICO said this extra protection was a ‘comparably low-cost preventative
measure which Tuckers should have implemented’, which would have
substantially increased the difficulty of an attacker entering its network.
Entry could have been gained through the exploitation of a single username
and password, and the Tuckers system was exposed to cyber-attacks because
of the lack of multi-factor authentication.

Tuckers admitted to investigators that personal data stored on the archive
server subject to the attack had not been encrypted as a precaution. This
might not have prevented the attack but would have mitigated the risk posed.

The ICO said infringements to data protection rules showed that the firm’s
approach to data protection compliance ‘was not of an appropriate
standard’.

In mitigation, the ICO accepted that Tuckers proactively sought to address
the security concerns and engaged with third party experts to bolster its
systems. MFA access was implemented to all remote access and mandatory
training provided for all staff. The firm has automated the deletion of
personal data on its case management system on the expiry of the retention
period and transferred all client data to a more secure system. Testing is
regularly carried out and all critical and high-risk issues remedied.

In a statement, the firm said: ‘Tuckers Solicitors takes data privacy and
trust very seriously. We are disappointed in this initial finding from the
ICO, relative to an international criminal organisation’s attack on our
system and theft of data which was already publicly available.

‘We have cooperated in full with the ICO and City of London Police in their
investigation. The commissioner makes clear that he accepts that primary
culpability for this incident rests with the attacker.

‘But for the attacker’s criminal actions, regardless of the state of the
security, the breach would not have occurred. Following the attack we have
successfully implemented a broad range of measures to prevent the
recurrence of such criminal incidents and the ICO acknowledges the
strengthened procedures which are now in place as we operate from a state
of the art system.’
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220310/5fe98f45/attachment.html>