ICO reprimands law firm after client data ends up on dark web


Hack: Firm did not have MFA

A law firm that was hacked and had sensitive client data published on the dark web has been reprimanded by the Information Commissioner’s Office (ICO).

It said Hampshire firm Levales was unaware of the security measures its third-party IT provider had in place, and was not using multi-factor authentication (MFA).

A notice published on Friday said the breach of the law firm, which specialises in criminal and military law, “occurred after an unknown threat actor gained access to the secure cloud-based server via legitimate credentials, later publishing the data on the dark web”.

In total, 8,234 UK data subjects were affected, of which 863 were deemed to be at ‘high risk’ of harm or detriment due to the special category of data, including data about serious criminal offences. This contained details of charges, convictions, complainants and victims, as well as legally privileged information.

The ICO found that Levales did not ensure the ongoing confidentiality of its processing systems as required by article 32(1)(b) of GDPR.

“Levales Solicitors LLP did not have [MFA] in place for the affected domain account. Levales relied on computer prompts for the management and strength of password and did not have a password policy in place at the time of the incident.

“The threat actor was able to gain access to the administrator level account via compromised account credentials. Levales Solicitors LLP have not been able to confirm how these were obtained.”

The ICO said MFA was “a basic measure” it expected to see organisations processing personal data implement, regardless of risk.

Further, the firm did not implement “appropriate technical and organisational measures” to ensure its systems were secure, as required by article 32(1)(d).

The notice explained: “Levales outsourced their IT management to a third party and were unaware of security measures in place at the time of the incident, such as detection, prevention, and monitoring.

“Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.”

The ICO said it expected contracts with managed service providers to be reviewed and that “the responsibilities within the contract are fully understood to ensure the security of the data being processed is upheld”.

In deciding on a reprimand, the ICO said it took account of the remedial steps taken by Levales, such as introducing MFA for all user accounts, updated service contracts with third party providers, and a complete review of its existing systems to prioritise work and upgrades to the firewall.

In June 2023, the National Cyber Security Centre, part of GCHQ, published an updated Cyber Threat to the Legal Sector report, and last week issued tips aimed at sole practitioners and small/medium-sized legal firms to help them reduce the likelihood of becoming victims of a cyber-attack.




Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog


Harnessing legal frameworks to drive decarbonisation

Lawyers have a unique and pivotal role in the global push toward decarbonisation. They are stepping up to help organisations integrate sustainability into everyday operations.


The SRA – an unprecedented crisis of confidence

Be in no doubt that yesterday marked the deepest crisis that the Solicitors Regulation Authority has ever faced. It needs to show humility and accountability.


Ten questions to ask a potential financial planning partner

The Solicitors Regulation Authority’s codes of conduct are clear how crucial proper due diligence is when assessing third-party partners.


Loading animation