The UK government’s data regulator has fined London headquartered law firm Tuckers Solicitors £98,000 for failing to properly look after its clients data, after a cyberattack saw almost a million legal documents stolen and leaked onto the dark web.
The UK government’s Information Commissioner’s Office (ICO) said the criminal solicitors firm – which has offices across the country in major cities including London, Manchester, and Birmingham – failed to put in place proper cybersecurity measures, after a cyber attack resulted in 972,191 files stolen from the firm, including 60 court bundles which were later published onto the darknet.
Today, the ICO fined Tuckers £98,000 after ruling the firm had broken GDPR rules by failing to put in place sufficient cybersecurity measures and failing to protect its customers’ data.
In a report the ICO explained that the files came to be leaked after a hacker installed various tools onto Tuckers’ system, which allowed them to create their own account. The attacker then used the account to steal 60 court bundles and publish them onto a darknet market.
The ICO noted that the hacker took advantage of the switch to remote working, by infiltrating an app used by the firm to allow employees to access their work desktops from home.
However, the watchdog said Tuckers failed to put in place relatively cheap and simple cybersecurity measures, including multi factor authentication (MFA), that may have prevented the attack.
“Taking into consideration the highly sensitive nature of the personal data that Tuckers was processing… Tuckers should not have allowed access to its network using only a single username and password,” the ICO report says.