Company fined £60k after cyber attack

Yahoo

16-04-2025

A Merseyside law firm has been fined £60,000 after a cyber attack that led to highly sensitive and confidential personal information being published on the dark web. The Information Commissioner's Office (ICO) found DPP Law Ltd, which has offices on Stanley Road in Bootle and Tithebarn Street in Liverpool city centre, failed to put appropriate measures in place to ensure the security of personal information held electronically.
According to the ICO, this failure enabled cyber hackers to gain access to DPP's network, via an infrequently used administrator account which lacked multi-factor authentication (MFA), and steal large volumes of data.
This occurred in June 2022 when DPP suffered a cyber attack which affected access to the firm's IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system.
READ MORE: 'Stunning' new build in 'highly sought-after' coastal location
READ MORE: How often you should bath your kids and is daily bathing too much
This enabled cyber attackers to move laterally across DPP's network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to its clients had been posted on the dark web.
The ICO said DPP did not consider that the loss of access to personal information constituted a personal data breach. As a result, it did not report the incident to the ICO until 43 days after it became aware of it.
Andy Curry, ICO interim director of enforcement and investigations, said: "Our investigation revealed lapses in DPP's security practices that left information vulnerable to unauthorised access.
"In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.
"Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident.
"Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences."
DPP specialises in law relating to crime, military, family fraud, sexual offences and actions against the police. An ICO statement said: "The very nature of this work means it is responsible for both highly sensitive and special category data, including legally privileged information.
"As the information stolen by the attackers revealed private details about identifiable individuals, DPP has a responsibility under the law to ensure it is properly protected."
The law requires organisations to take continual and proactive steps to protect themselves against cyber attacks. This includes ensuring all IT systems have MFA or equivalent protection, regularly scanning for vulnerabilities and installing the latest security patches without delay.
The ECHO has approached DPP for comment.
For the latest news and breaking news visit http://www.liverpoolecho.co.uk/news/. Get all the big headlines, pictures, analysis, opinion and video on the stories that matter to you.
Join the Liverpool ECHO Breaking News and Top Stories WhatsApp community to receive the latest news straight to your phone by clicking here.