• Contact Us

How to Avoid a Fine for Data Breach - Sometimes Even Lawyers Get it Wrong

on Friday, 25 March 2022.

The ICO issued criminal lawyers, Tuckers Solicitors, a £98,000 fine for failing to securely process their clients' personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Tuckers notified the ICO on August 25, 2020 that it suffered ransomware attacks that resulted in breach of personal data under article 32 of the GDPR from failing to have appropriate measures in place as a data controller and failing to encrypt personal data. The ICO also concluded that Tuckers failed to comply with the SRA code of conduct by not "maintaining effective systems and controls to mitigate risks to client confidentiality".

The cyber-attacker accessed and encrypted 972,191 files, 24,712 of which related to court bundles. 60 of these court bundles were exfiltrated and the data, which included both personal and special category data, was released in data marketplaces on the dark web.

How Did Truckers Fail to Encrypt Personal Data?

  • Lack of Multi-Factor Authentication - for remote access to Tuckers' system, Tuckers only relied on username and password.
  • Patch Management Failure - a delayed application of a software patch to fix a Citrix vulnerability, which the NCSC flagged in January 2020 was being exploited by malicious attackers and Tuckers only installed in June 2020. ICO also criticised Tuckers' negligence for not promptly solving its inadequacies 10 months after failing the government's Cyber Essentials assessment in October 2019.
  • Failure to encrypt personal data - The ICO accepted that while encryption may not prevent data breach, it can mitigate the risks posed to data subjects.

In assessing the level of the fine, the ICO did consider some mitigating factors. Tuckers had introduced a MFA system; engaged third party experts to increase its security systems and also engaged with Cyber Griffin at London Police to have audits of this security procedures and provide staff briefings

What Can Your Organisation Do to Prevent this from Happening?

As ransomware attacks are on the rise, recruitment companies, which by nature of their work process vast amounts of personal data, can take steps to strengthen their defences and avoid incurring penalties:

  • Implement a MFA system, which the ICO described as "a comparably low-cost preventative measure”.
  • Encrypt the collected data.
  • Have up to date cyber-security systems.

PING banner ad March22 compressed


For advice on best practice for protecting personal data, please contact Penny Bygrave in our Recruitment team on 07909 681572, or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Telephone
Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input