Tuckers notified the ICO on August 25, 2020 that it suffered ransomware attacks that resulted in breach of personal data under article 32 of the GDPR from failing to have appropriate measures in place as a data controller and failing to encrypt personal data. The ICO also concluded that Tuckers failed to comply with the SRA code of conduct by not "maintaining effective systems and controls to mitigate risks to client confidentiality".
The cyber-attacker accessed and encrypted 972,191 files, 24,712 of which related to court bundles. 60 of these court bundles were exfiltrated and the data, which included both personal and special category data, was released in data marketplaces on the dark web.
In assessing the level of the fine, the ICO did consider some mitigating factors. Tuckers had introduced a MFA system; engaged third party experts to increase its security systems and also engaged with Cyber Griffin at London Police to have audits of this security procedures and provide staff briefings
As ransomware attacks are on the rise, recruitment companies, which by nature of their work process vast amounts of personal data, can take steps to strengthen their defences and avoid incurring penalties: