Data protection failures lead to penalties

The Information Commissioner’s Office (ICO) has issued a scathing report regarding the security failures of DPP, a firm specialising in law related to crime, military, family fraud, sexual offences, and actions against the police. The ICO discovered that DPP did not implement appropriate measures to protect the personal information held electronically, which led to a significant cyber attack. This breach was executed through an infrequently used administrator account that lacked multi-factor authentication (MFA), allowing cyber attackers to infiltrate DPP’s network and steal 32GB of sensitive data.

Andy Curry, Director of Enforcement and Investigations (Interim), commented on the findings, stating “Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access.” The stolen information included legally privileged details relating to identifiable individuals, which placed an additional burden on DPP to ensure that data remained safeguarded. The ICO's inquiry highlighted a concerning trend wherein organisations overlook critical security protocols.

Curry continued “In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.” The ramifications of this breach extend beyond immediate data loss, as organisations can face severe financial penalties and reputational damage for failing to uphold their legal responsibilities. DPP learned of the breach only when the National Crime Agency informed them that client data had been posted on the dark web, with DPP delaying notification to the ICO for 43 days, believing that the loss of access did not qualify as a data breach.

Curry stated “Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident." This situation underscores the legal expectations placed on organisations to take proactive steps against potential cyber threats. Regulations necessitate that entities ensure all IT systems are fortified with MFA and that vulnerabilities are routinely scanned and addressed.

In light of this incident, the ICO has reiterated the importance of understanding data protection obligations, emphasising that “Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.” For organisations wishing to avoid similar pitfalls, the ICO provides guidance on security obligations and the necessity of reporting data breaches. Furthermore, their recent cyber report, titled Learning from the mistakes of others, aims to offer insights for compliance officers and data protection leaders.

Organisations seeking assistance with compliance or wishing to report concerns can contact the ICO via their helpline or website for further guidance