Data breach: Firm knew its security was lacking
Leading criminal law firm Tuckers has been fined £98,000 by the Information Commissioner after a ransomware attack that encrypted nearly a million files exploited its “negligent security practices”.
The firm knew it had problems with cyber-security the previous year, having failed the government-backed Cyber Essentials standard, but did not rectify them quickly enough.
The attack, in August 2020, encrypted 972,191 individual files stored on an archive server.
Of these, 24,711 related to court bundles – comprising a “comprehensive set” of personal data – and 60 were exfiltrated by the attacker and published on the dark web. They included privileged material.
There were 15 criminal cases, all of which had concluded, although in relation to one there were ongoing Proceeds of Crime Act proceedings. The 45 civil bundles were a mixture of archived and live cases.
Backups were also encrypted but the Information Commissioner’s Office (ICO) said today the “the vast majority” of the personal data Tuckers was processing was in fact held on other unaffected servers and systems.
Neither Tuckers nor third-party investigators it brought in could say conclusively how the attacker was able to access the network, but there was a known system vulnerability which could have been used; a patch had been released for it in January 2020 but Tuckers only applied it that June.
Once inside the network, the attacker installed various tools which allowed them to create their own user account.
Tuckers said that, whilst the compromised court bundles were effectively permanently lost, the material within the bundles was still available on its case management system.
Today’s penalty notice said that, while “primary culpability” rested with the attacker, Tuckers gave them weaknesses to exploit.
The firm failed to comply with GDPR in failing to have multi-factor authentication for its remote access solution, which the ICO described as “a comparably low-cost preventative measure which Tuckers should have implemented”.
“The exploitation of a single username and password is a common exploitation method and is likely to be one of two possible entry methods into the Tuckers network.”
Another failure was the delay in applying the patch, which had been identified as ‘critical’.
“Tuckers speculated that it was unlikely the attacker would have exploited a vulnerability to gain access to the network, but then not executed the attack until August 2020, two months after initial access,” the ICO said.
“However, this is a common attacker tactic used by advanced persistent threat groups. Accordingly, the commissioner is not persuaded that [this] casts significant doubt on the likelihood of this patching delay having given the attacker the opportunity they exploited.
“In any event, even if the attack did not exploit this delay, the delay was nonetheless a significant deficiency in Tuckers’ technical measures that created the risk of serious incidents such as this.”
Tuckers also failed to encrypt personal data stored on the archive server. This may not have stopped the attack but it would have mitigated “some of the risks” it posed.
In deciding to issue a fine, the ICO said “this personal data breach occurred due to a criminal and malicious cyber-attack that exploited negligent security practices”.
It recorded that Tuckers was already aware of issues with its cyber-security, having failed to gain the Cyber Essentials standard in October 2019.
“Given the personal data that Tuckers was processing, including special category data of very vulnerable individuals, the commissioner believes that it is reasonable to expect that the security within Tuckers should have not only have met, but surpassed the basic requirements of Cyber
Essentials.
“The fact that some 10 months after failing Cyber Essentials it had still not resolved this issue is, in the commissioner’s view, sufficient to constitute a negligent approach to data security obligations.”
Further, Tuckers held the Law Society’s Lexcel quality mark, which said firms should be accredited against Cyber Essentials, while the Solicitors Regulation Authority (SRA) had provided advice on cyber-security in previous years.
In deciding the level of fine, the ICO said an aggravating factor was Tuckers’ failure to meet various standards set out by the SRA in its code of conduct.
There were several points in mitigation, however, around how the firm has “proactively sought to address the security concerns and engaged with third-party experts to increase the security of its systems”.
This included training and information security awareness throughout the business – such as weekly communications on cyber risks and awareness – an expanded IT team and regular penetration testing. It will soon reapply for Cyber Essentials accreditation.
In a statement, the firm said: “Tuckers Solicitors take data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available.
“We have cooperated in full with the ICO and City of London Police in their investigation.
“The commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker. But for the attacker’s criminal actions, regardless of the state of the security, the breach would not have occurred.
“Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state-of-the-art system.”
Leave a Comment