On April 14, 2025, the UK data protection regulator (the Information Commissioner’s Office (“ICO”)) fined DPP Law (“DPP”) £60,000 (approximately $80,000) following a ransomware incident. In its penalty notice, the ICO found that DPP failed to implement appropriate technical and organisational measures, as required by Article 5(1)(f) and Article 32 UK GDPR. This is the second fine in Q1 2025 imposed by the ICO for such a failure. See the ICO’s action against Advanced Computer Software Group Ltd here.
The DPP penalty notice is available here.
What happened?
On June 4, 2022, DPP ’s email server stopped working, and staff had no access to its IT network. All files across DPP ’s servers had been corrupted. It was later discovered that on June 3, 2022, a threat actor authenticated onto a service-based administrator account. The threat actor compromised an end-user laptop, which allowed access to a service-based administrator account. Through this account the threat actor authenticated onto the system. The threat actor then deployed Cobalt Strike and began running PowerShell Commands. MegaSync and Rclone were also installed to exfiltrate data.
The service-based administrator account used by the threat actor was for a retired case management system, taken out of service on April 30, 2019. In 2021 DPP’s service agreement for the case management system terminated, but as per DPP’s data retention policy, case files were held for six (6) years. As such, the system was still operational in 2022.
There was evidence of brute force attempts on DPP ’s network from as early as February 19, 2022. A total of 400 attempts were made to gain access to the network, which were apparently not detected by DPP.
What personal data did the incident affect?
As a result of the ransomware incident, 32.4 GB of data was taken and published on the dark web. In total 791 individuals were affected
- 306 crime clients
- 225 family clients
- 14 matrimonial clients
- 137 actions against the police clients
- 109 expert witnesses
The data included court bundles, PDFs, Word documents, photos, videos relating to clients and expert evidence from legal proceedings. The data taken contained highly sensitive personal data, likely to result in a high risk to the rights and freedoms of individuals including:
- jeopardising ongoing criminal proceedings;
- identifying clients under criminal investigation who were yet to be charged; and
- identifying victims of crime including those afforded statutory protection.
The ICO considered that individuals suffered material and non-material damage (whether actual or foreseeable) due to the loss of data including:
- loss of control of personal data;
- loss of human dignity; and
- psychological harms.
Did DDP notify the ICO?
DDP did not identify data exfiltration themselves; rather the National Crime Agency notified DPP that data had been published on the dark web. As such, DPP notified the ICO 43 days after the incident occurred.
What did the ICO focus on in its penalty notice?
Multi-factor authentication (“MFA“)
DPP used MFA for the purpose of connecting to its network via VPN. However, the service-based administrator account that was used by the threat actor did not have MFA enabled. Once again, the ICO has focused on the importance of MFA as an appropriate technical and organisational measure to help secure personal data.
Appropriate technical and organisational measures on all systems
The ICO found that DPP’s infringements of Articles 5(1)(f) and 32 UK GDPR had subsisted for at least four (4) years prior to the risk materialising (i.e., a personal data breach occurring). As such, companies should ensure that all systems (including retired systems), have appropriate technical and organisational measures implemented from the date of creation of the system through to the date on which the system is no longer storing / processing personal data. In the case of DPP:
- DPP did not know the password for the service-based administrator account and was unable to reset it.
- DPP did not carry out an audit of accounts on its servers to limit privileges and / or disable accounts. As such, the service-based administrator account could be used by a threat actor to obtain full access to DPP’s network.
- DPP did not carry out a risk assessment in relation to the service-based administrator account having excessive access privileges. This was highlighted as being an important risk consideration given the accessibility of sensitive personal data.
Delay in notifying the ICO
For the first time, the ICO has commented on the issue of a delay in notifying a personal data breach. Under Article 33 UK GDPR a personal data breach must be notified within 72 hours, a deadline that DPP missed. The ICO considered that DPP ’s failure to notify the ICO of the personal data breach within 72 hours, was an aggravating factor and subsequently increased its fine.
