Tuckers Solicitors fined £98,000 by ICO over data breach

Archived client data was held to ransom and published on the dark web

The Information Commissioner’s Office (ICO) has fined leading criminal defence firm Tuckers Solicitors £98,000 for breach of the General Data Protection Regulation (GDPR), which emerged after the firm suffered a ransomware attack in August 2020.

On 24 August 2020, Tuckers became aware of a ransomware attack on its systems when parts of its IT system became unavailable. Upon investigation, it found a ransomware note from an attacker stating it had compromised Tuckers’ systems. The next day, the firm determined the attack had resulted in a personal data breach.

An attacker had encrypted 972,191 individual files, of which 24,712 related to court bundles; of the encrypted bundles, 60 were exfiltrated by the attacker and released on the dark web. The compromised files related to 15 criminal and 45 civil case bundles stored on an archive server, which contained both personal data and special category data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals.

In respect of the criminal cases, Tuckers stated it included one ongoing criminal case but all other criminal cases had been concluded. In respect of the civil cases, Tuckers explained there was a mixture of archived and live cases.

The ICO found the personal data compromised by the attack was likely to have featured in open court proceedings, but that the unauthorised access to personal data resulting from this attack was very different in nature and scale. Tuckers said, to its understanding, the personal data breach has not had any impact on the substance of its archived or live cases – i.e. on the conduct or outcome of the relevant proceedings.

The information commissioner found that between 25 May 2018 (the date the GDPR came into force) and 25 August 2020 (the date on which the firm reported the personal data breach), the firm was in contravention of Article 5(1)(f) of the GDPR as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. As a result of this, the information commissioner considered Tuckers' failures had rendered it vulnerable to the attack.

In calculating the monetary penalty, the information commissioner took into account the fact that Tuckers had co-operated fully with its investigation and had taken steps to contact those affected by the breach. It also took into account the fact that Tuckers had taken remedial steps to address the issues identified by the breach. The commissioner found its starting point for calculating the breach to be 3.25 per cent of Tuckers’ turnover for 30 June 2020.

A statement released by the firm said it was “disappointed” with the ICO’s decision. “Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available”.

It added: “We have cooperated in full with the ICO and City of London Police in their investigation. The commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker.

“But for the attacker’s criminal actions, regardless of the state of the security, the breach would not have occurred. Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system.”

The £98,000 fine must be paid by Tuckers before 29 March 2022. Tuckers has the right of appeal.