Hack: Firm did not have MFA
A law firm that was hacked and had sensitive client data published on the dark web has been reprimanded by the Information Commissioner’s Office (ICO).
It said Hampshire firm Levales was unaware of the security measures its third-party IT provider had in place, and was not using multi-factor authentication (MFA).
A notice published on Friday said the breach of the law firm, which specialises in criminal and military law, “occurred after an unknown threat actor gained access to the secure cloud-based server via legitimate credentials, later publishing the data on the dark web”.
In total, 8,234 UK data subjects were affected, of which 863 were deemed to be at ‘high risk’ of harm or detriment due to the special category of data, including data about serious criminal offences. This contained details of charges, convictions, complainants and victims, as well as legally privileged information.
The ICO found that Levales did not ensure the ongoing confidentiality of its processing systems as required by article 32(1)(b) of GDPR.
“Levales Solicitors LLP did not have [MFA] in place for the affected domain account. Levales relied on computer prompts for the management and strength of password and did not have a password policy in place at the time of the incident.
“The threat actor was able to gain access to the administrator level account via compromised account credentials. Levales Solicitors LLP have not been able to confirm how these were obtained.”
The ICO said MFA was “a basic measure” it expected to see organisations processing personal data implement, regardless of risk.
Further, the firm did not implement “appropriate technical and organisational measures” to ensure its systems were secure, as required by article 32(1)(d).
The notice explained: “Levales outsourced their IT management to a third party and were unaware of security measures in place at the time of the incident, such as detection, prevention, and monitoring.
“Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.”
The ICO said it expected contracts with managed service providers to be reviewed and that “the responsibilities within the contract are fully understood to ensure the security of the data being processed is upheld”.
In deciding on a reprimand, the ICO said it took account of the remedial steps taken by Levales, such as introducing MFA for all user accounts, updated service contracts with third party providers, and a complete review of its existing systems to prioritise work and upgrades to the firewall.
In June 2023, the National Cyber Security Centre, part of GCHQ, published an updated Cyber Threat to the Legal Sector report, and last week issued tips aimed at sole practitioners and small/medium-sized legal firms to help them reduce the likelihood of becoming victims of a cyber-attack.
