News EditorSolicitors Journal

Tuckers Solicitors fined £98,000 by ICO over data breach

Tuckers Solicitors fined £98,000 by ICO over data breach

Archived client data was held to ransom and published on the dark web

The Information Commissioner’s Office (ICO) has fined leading criminal defence firm Tuckers Solicitors £98,000 for breach of the General Data Protection Regulation (GDPR), which emerged after the firm suffered a ransomware attack in August 2020.

On 24 August 2020, Tuckers became aware of a ransomware attack on its systems when parts of its IT system became unavailable. Upon investigation, it found a ransomware note from an attacker stating it had compromised Tuckers’ systems. The next day, the firm determined the attack had resulted in a personal data breach.

An attacker had encrypted 972,191 individual files, of which 24,712 related to court bundles; of the encrypted bundles, 60 were exfiltrated by the attacker and released on the dark web. The compromised files related to 15 criminal and 45 civil case bundles stored on an archive server, which contained both personal data and special category data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals.

In respect of the criminal cases, Tuckers stated it included one ongoing criminal case but all other criminal cases had been concluded. In respect of the civil cases, Tuckers explained there was a mixture of archived and live cases.

The ICO found the personal data compromised by the attack was likely to have featured in open court proceedings, but that the unauthorised access to personal data resulting from this attack was very different in nature and scale. Tuckers said, to its understanding, the personal data breach has not had any impact on the substance of its archived or live cases – i.e. on the conduct or outcome of the relevant proceedings.

The information commissioner found that between 25 May 2018 (the date the GDPR came into force) and 25 August 2020 (the date on which the firm reported the personal data breach), the firm was in contravention of Article 5(1)(f) of the GDPR as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. As a result of this, the information commissioner considered Tuckers' failures had rendered it vulnerable to the attack.

In calculating the monetary penalty, the information commissioner took into account the fact that Tuckers had co-operated fully with its investigation and had taken steps to contact those affected by the breach. It also took into account the fact that Tuckers had taken remedial steps to address the issues identified by the breach. The commissioner found its starting point for calculating the breach to be 3.25 per cent of Tuckers’ turnover for 30 June 2020.

A statement released by the firm said it was “disappointed” with the ICO’s decision. “Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available”.

It added: “We have cooperated in full with the ICO and City of London Police in their investigation. The commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker.

“But for the attacker’s criminal actions, regardless of the state of the security, the breach would not have occurred. Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system.”

The £98,000 fine must be paid by Tuckers before 29 March 2022. Tuckers has the right of appeal.

AdvertisementAdvertisementAdvertisementAdvertisementAdvertisementAdvertisement
Latest News

Legal job numbers increase but applications decline

Fri Sep 29 2023

BARBRI candidates outperform SRA average by 13%

Fri Sep 29 2023

Justice delayed as thousands of cases wait more than two years to be heard

Thu Sep 28 2023

Solicitors warned over immigration services

Thu Sep 28 2023

New report highlights the transformative effects of domestic abuse training on family lawyers

Wed Sep 27 2023

Asylum seekers stranded on Diego Garcia win challenge against return to Sri Lanka

Wed Sep 27 2023

UN and coalition of NGOs write to Unilever to voice deep concern regarding victims of violence at Unilever tea plantation

Tue Sep 26 2023

Live Facial Recognition: How to Stay Within the Law

Tue Sep 26 2023

Ethics Institute launches taskforce to examine legal services to oligarchs and kleptocrats

Mon Sep 25 2023
FeaturedThe Law Society intervention ensures liberal approach to dealing with concurrent problems on legal aid
The Law Society intervention ensures liberal approach to dealing with concurrent problems on legal aid
Jeanne Kelly elected President of the British Irish Chamber of Commerce
Jeanne Kelly elected President of the British Irish Chamber of Commerce
Families continue to be victims of a broken justice system
Families continue to be victims of a broken justice system
Call for compensation scheme extension to help more abuse survivors
Call for compensation scheme extension to help more abuse survivors
SJ Interview: Hannah Ambrose
SJ Interview: Hannah Ambrose
Whose human rights are more important, yours or mine?
Whose human rights are more important, yours or mine?