Criminal defense law firm Tuckers Solicitors is facing a fine from the UK’s data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.
The London-based business was handed a £98,000 penalty notice by the Information Commissioner’s Office under Article 83 of the EU’s General Data Protection Regulation 2018*.
The breach was first noted by Tuckers on August 23 2020 when part of its IT system became unavailable. On closer inspection, resident techies found a note from the attackers confirming they had compromised part of the infrastructure. The Microsoft Exchange server was out of action and two days’ worth of emails were lost, as detailed by the company blog at the time.
The breach was reported to the ICO by Tuckers on August 25 2020, the ICO says.
According to the watchdog’s monetary penalty notice [PDF], “neither” the solicitor or the third party specialist hired to investigate the break-in were able to confirm the exact location of unauthorized entry but “found evidence of a known system vulnerability.”
Tuckers told the ICO it patched the unnamed vuln in June 2020, but admitted the patch has been released in January that year, and the lawyer “accepted that the attacker could have exploited it” in that five-month period, the ICO report states. The CVE scored a CVSS of 9.8 or “critical”, it adds.
Once the attacker was inside the network, they created their own account and used this to launch the wider assault, encrypting a “significant volume of personal data contained in case bundles held on the archive server within the Tuckers network,” the report adds.
Data held on the archive server had not been encrypted, Tuckers admitted to the ICO. This wouldn’t have prevented the attack but may have mitigated the risk to data subjects.
The criminals then encrypted 972,191 individual files, of which 24,712 related to court bundles. Of the encrypted bundles, 60 were “exfiltrated by the attacker and released in underground data marketplaces,” says the ICO.
Tuckers said in its company blog the data dumped on the dark web pertained to 60 clients out of a potential haul of 60,000, so this wasn’t the worst result for the lawyer. Neither was this its finest hour.
“The 60 exfiltrated court bundles included 15 relating to criminal court proceedings and 45 civil proceedings. Of the 60 exfiltrated court bundles, the personal data was not related to just one living individual, it was likely to have included multiple individuals,” the ICO states in its report.
The criminals’ cases had concluded, with just one at the Proceeds of Crime Act stage. The civil cases were a mix of archived and live cases. Tuckers told the ICO that to the best of its understanding the security breach “had not had any impact… on the conduct or outcome of the relevant proceedings.”
The ICO says the personal data in the bundles included special category data that related to vulnerable individuals such as children or those involved in significant crimes, which increased the “severity of this infringement.”
Tuckers refused to pay the ransom, saying in its August 2020 blog: “Unfortunately for our attackers, targeting a criminal defence firm, with income predominantly from the legal aid sector, with a view to extorting money, is something of a fool’s errand.”
As such, the business moved its server to a new environment by September 2020 “albeit without the restoration of the data that had been compromised by the attacker” which it said were “permanently lost”, although the material in the bundles was still available in the case management system it added.
The conclusion from the ICO was that the primary cause of the incident obviously rests with the ransomware criminal or criminals.
Yet an unpatched vulnerability “gave the attacker a weakness to exploit,” and the serious nature of the personal data was such that it justified enforcement action.
“Taking into consideration the highly sensitive nature of the personal data that Tuckers were processing, as well as the state of the security updates, and the costs of implementation for them, Tuckers should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk,” the report says. ®
*The applicable legislation at the time of the incident, which occurred before the official Brexit date of January 31, 2020.