Tuckers Solicitors has been fined £98,000 as a result of their ‘failure to implement appropriate technical and organisation measures’ which led to a personal data breach. The firm was subject to an extensive ransomware attack which resulted 972,191 files being stolen and later published on the dark net.
A large number of the stolen files were taken from court bundles. These bundles related to both criminal and civil proceedings and contained vast amounts of personal data including witness statements and medical files. The Information Commissioner’s Office (ICO) have reported that the hacker infiltrated an app used by the firm’s employees to create their own account and gain access to the firm’s network.
The ICO found that, despite the primary culpability for the breach resting with the attacker, Tucker’s had left a ‘weakness to exploit’ by failing to put in place sufficient cybersecurity measures in line with GDPR requirements, including regular cybersecurity training for employees. The watchdog outlined that relatively cheap preventative measures, such as multi-factor authentication for remote access and regular training would have made it significantly more difficult for the attackers to enter the network and steal the documents.
