Tuckers IT weaknesses exploited, ICO finds
One of the country’s leading criminal law firms has been hit with a £98,000 fine after hackers were able to access court bundles and place some of them on the dark web.
The ransomware attack on Tuckers Solicitors resulted in the encryption of 972,191 individual files, of which 24,712 related to court bundles.
The Information Commissioner Officer (ICO) found that 60 files were exfiltrated and published on underground data marketplaces. Of those, 15 were criminal matters, all but one of which had concluded, and 45 civil cases which were a mixture of old and ongoing matters. The incident occurred in August 2020.
The bundles included a comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals, according to the penalty notice.
Although experts couldn’t say for certain how the attackers were able to access the firm’s network, they did find evidence of a known system vulnerability — a security update (otherwise known as a patch) released in January 2020 but not applied until some five months later in June.
The ICO stressed that while the primary culpability for the incident rested with the attacker, the firm gave them weaknesses to exploit. This included a lack of multi-factor authentication for its remote access solution and the delay in applying the patch.
The penalty notice also states that the personal data stored on the archive server that was subject to the attack had not been encrypted. While this may not have prevented the attack itself, the ICO found it may have mitigated some of the risk posed to those affected.
In mitigation, the ICO noted that Tuckers had proactively sought to address the security concerns and engaged with third party experts to increase the security of its system. It had improved training and information security awareness throughout the firm, including through weekly communications on cyber risks and awareness.
In a statement the firm said: “Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available.”
It added: “We have cooperated in full with the ICO and City of London Police in their investigation. The Commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker.”
“But for the attacker’s criminal actions, regardless of the state of the security, the breach would not have occurred. Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system.”
For the latest news, commercial awareness insight, careers advice and events:Sign up to the Legal Cheek Newsletter