A £60,000 penalty imposed on Merseyside-based DPP Law Limited by the Information Commissioner’s Office (ICO) recently has sent a strong message to all businesses about the importance of robust data protection.

The fine followed a serious cyber attack in 2022, in which highly sensitive client information was stolen and published on the dark web. While DPP Law operates in particularly sensitive legal areas, the lessons from the incident are relevant to any organisation handling personal data, including small and owner-managed businesses.

What happened at DPP Law?

In June 2022, DPP Law, a firm specialising in criminal and family law, suffered a cyber attack that disrupted its IT systems for over a week. Hackers gained access through an infrequently used administrator account that did not have multi-factor authentication (MFA) enabled. This allowed them to move across the network and download sensitive data, including court documents, police body cam footage, and other confidential records.

The breach only came to light when the National Crime Agency informed DPP that stolen client data had appeared on the dark web. Critically, DPP did not initially recognise the incident as a reportable personal data breach and delayed notifying the ICO for 43 days. This is well beyond the required 72-hour window under UK data protection law.

The ICO investigation found that DPP Law had failed to:

• Implement adequate security controls, especially MFA for privileged accounts.
• Properly manage and decommission outdated legacy systems.
• Report the breach within the legally mandated timeframe.

Why was the fine issued?

The ICO’s penalty notice highlighted several failings:

• Lack of MFA on Administrator Accounts: The targeted account was a legacy administrator profile with unrestricted network access but no MFA, making it an easy target for brute-force attacks.
• Outdated Legacy Systems: The administrator account related to a case management system taken out of service in 2019 but still operational due to data retention policies. The password was only known to the original system provider, and the account remained over-privileged and unmonitored.
• Delayed Breach Notification: DPP Law did not notify the ICO within the required 72 hours, breaching UK GDPR obligations.

The ICO stressed that data protection is a legal obligation, not a technical afterthought. Andy Curry, interim Director of Enforcement and Investigations at the ICO, stated ‘Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access… This penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.’

Lessons for small businesses

While the DPP Law case involved a legal firm, the underlying issues are relevant to any business that handles personal data. Here are the key takeaways:

1. Multi-Factor Authentication (MFA) Is Essential
All administrator and remote access accounts should have MFA enabled by default. This simple measure can prevent unauthorised access, even if passwords are compromised.

2. Regularly Review and Decommission Legacy Systems
Legacy accounts and systems, even if rarely used, can present significant vulnerabilities if not properly managed or decommissioned.

Ensure all accounts are actively managed and unnecessary ones are removed.

3. Monitor for Unusual Activity
Implement regular security scans and monitoring to detect unauthorised access or suspicious activity early.

Automated alerts can help identify intrusion attempts before significant damage occurs.

4. Understand and Meet Breach Reporting Obligations
If a breach occurs that risks individuals’ rights or freedoms, it must be reported to the ICO within 72 hours of awareness.

Delays can result in additional penalties and reputational damage.

5. Cybersecurity Is an Ongoing Responsibility
Regularly assess and update your cybersecurity measures. Data threats are constantly evolving, and what was secure last year may not be sufficient today.

Practical steps to take…

To reduce the risk of similar incidents, consider the following actions:

• Enable MFA on all accounts, especially those with administrative privileges.
• Conduct regular reviews of all user accounts and remove or restrict those no longer needed.
• Keep all systems and software up to date and decommission legacy platforms promptly.
• Train staff on cybersecurity best practices and how to spot phishing attempts.
• Develop a clear data breach response plan, including how and when to notify the ICO.
• Regularly back up data and test your ability to restore it in the event of an attack.

The ICO has published detailed guidance and a recent report on learning from the security mistakes of others, which is a valuable resource for organisations looking to strengthen their data protection practices.

In conclusion…

Don’t Wait for a Breach to Act!

The DPP Law case is a stark reminder that data protection failures can have serious financial and reputational consequences for any business. By taking proactive steps now, the risks of falling victim to a cyber attack can be greatly reduced and you can ensure you’re meeting your legal obligations.

We’d strongly recommend checking your processes but also speaking to your IT provider to gain their advice around the latest security recommendations.