UK criminal defense lawyer hadn't patched when ransomware hit

2022-03-15 13:30

Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.

Data held on the archive server had not been encrypted, Tuckers admitted to the ICO. This wouldn't have prevented the attack but may have mitigated the risk to data subjects.

Of the encrypted bundles, 60 were "Exfiltrated by the attacker and released in underground data marketplaces," says the ICO. Tuckers said in its company blog the data dumped on the dark web pertained to 60 clients out of a potential haul of 60,000, so this wasn't the worst result for the lawyer.

"The 60 exfiltrated court bundles included 15 relating to criminal court proceedings and 45 civil proceedings. Of the 60 exfiltrated court bundles, the personal data was not related to just one living individual, it was likely to have included multiple individuals," the ICO states in its report.

The ICO says the personal data in the bundles included special category data that related to vulnerable individuals such as children or those involved in significant crimes, which increased the "Severity of this infringement."

"Taking into consideration the highly sensitive nature of the personal data that Tuckers were processing, as well as the state of the security updates, and the costs of implementation for them, Tuckers should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk," the report says.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/15/brit_solicitor_fined_for_failing/

#criminal #defense #ransomware #UK