ICO reprimands law firm over data breach that saw money stolen

Cyber attack: Firm started but did not complete Cyber Essentials accreditation

The Information Commissioner’s Office (ICO) has reprimanded a law firm after a cyber-attack led to a data breach and four fraudulent payments being made on a probate matter.

It criticised County Durham firm Swinburne Snowball & Jackson (SSJ) for not having sufficient protections in place and not knowing it had to report data breaches to the ICO.

A notice published yesterday said a spear phishing attack on an employee Outlook email account “interfered with payments to beneficiaries of a probate matter”.

Four fraudulent payments were identified but the ICO redacted how much money was involved. It was repaid by the firm around two weeks later.

The first malicious sign-in occurred on Monday 11 January 2021 but the firm did not realise for three days and the account password was only changed on 15 January.

SSJ then reported the matter to its personal data insurer and the Solicitors Regulation Authority (SRA), and the ICO 11 days later.

The ICO investigation found that SSJ did not have a “suitable contract in place with its IT provider that defined security responsibilities or the level of security required”.

As a result, the firm was unable to demonstrate if or how “preventative, detective or auditing measures were implemented with regards to its email accounts”.

SSJ also did not have multi-factor authentication (MFA) in place for the affected email account, saying its IT contractors had not previously recommended this.

However, the ICO noted that the National Cyber Security Centre (NCSC), SRA and Law Society all “promoted the use of strong or multi-factor authentication” to make unauthorised access more difficult.

The ICO went on: “Given the nature of SSJ’s business and the scope of information it processes and has access to, including financial transactions, it would be anticipated that appropriate security measures, such as MFA, or formal accreditations, such as the NCSC’s Cyber Essentials, would be in place to protect this data. Post incident, SSJ has indicated it has implemented MFA.”

SSJ started but did not complete accreditation to the NCSC’s Cyber Essentials scheme, while SSJ also has the Law Society’s Lexcel quality mark, which says firms should have Cyber Essentials.

As a result, the ICO found that SSJ had failed to comply its obligations under the GDPR to process personal data securely and to have appropriate measures in place “to ensure a level of security appropriate to the risk and ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.

In deciding that a reprimand was appropriate, the ICO acknowledged that SSJ had promptly notified affected individuals, repaid the money lost, commissioned a third-party cyber-security firm to investigate and sought advice and assistance with remedial measures from its IT consultants.

The ICO made a series of standard recommendations on governance, identity and access controls, technical control selection, staff training and awareness, and supply chain security, but stressed that these were not compulsory.

“However, if further information relating to this matter comes to light, or if any further incidents or complaints are reported to us, further regulatory action may be considered.”

Businesses have 72 hours to report a personal data breach to the ICO, unless it is unlikely to result in a risk to the rights and freedoms of an individual.

The regulator said: “In this instance, we understand from SSJ’s breach report that SSJ was initially unaware of the 72-hour deadline and focused primarily on identifying and containing the damage caused by the breach.

“SSJ further explained it was a small practice and had taken action to report to the SRA and insurers within 24 hours.”

The ICO said it was “concerned” that SSJ was not “immediately aware of the reporting requirements under the GDPR” and urged the firm to ensure staff were trained on them.

We have approached SSJ for comment.

Leave a Comment

By clicking Submit you consent to Legal Futures storing your personal data and confirm you have read our Privacy Policy and section 5 of our Terms & Conditions which deals with user-generated content. All comments will be moderated before posting.

Required fields are marked *
Email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Reshaping workplace culture in law firms

The legal industry is at a critical point as concerns about “toxic law firm culture” reach an all-time high. The profession often prioritises performance at the cost of their wellbeing.

Will solicitors finally be fans of transparency now?

Since the introduction of the SRA’s transparency rules in December 2018, I have been an advocate for law firms going further then the regulatory essentials.

A two-point plan to halve the size of the SRA

I have joked for many years that you could halve the size (and therefore cost) of the Solicitors Regulation Authority overnight by banning both client account and sole practitioners.

Loading animation