The Information Commissioner's Office ('ICO') published, on 10 March 2022, its monetary penalty notice, issued on 28 February 2022, in which it imposed a fine of £98,000 on Tuckers Solicitors LLP, for violations of Articles 5(1)(f),  32(1)(a), and 32(1)(b) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a ransomware attack on its systems.

Background to the case

In particular, the ICO noted that following a ransomware attack on its archive servers on 24 August 2020, Tuckers submitted a personal data breach notification to the ICO the following day, in which Tuckers outlined that 972,191 individual files were encrypted, of these, 60 court bundles were exfiltrated by the attacker and published on an underground market site. In particular, the ICO outlined that the bundles included a comprehensive set of sensitive personal data, including medical files, witness statements, names, addresses of witnesses and victims, and the alleged crimes of the individuals.

Findings of the ICO

In light of the above, the ICO found that Tuckers failed to put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of data for the purpose of their business, resulting in a violation of the principle of integrity and confidentiality under Article 5(1)(f) of the GDPR, as well as Article 32 of the GDPR.

In particular, the ICO outlined its considerations in assessing the adequacy of Tuckers' technical and organisational measures over the relevant period related to the following:

• a lack of multi-factor authentication evidenced by Tuckers allowing access to its networks using only a single username and password;
• inadequate patch management which allowed the processing of data on an infrastructure containing known critical vulnerabilities, without appropriately addressing the risk; and
• the failure to ensure the ongoing confidentiality, integrity, and availability of its data processing systems and services, despite the highly sensitive nature of personal data processed.

As such, the ICO stated that Tuckers had therefore violated Articles 5(1)(f) and 32(1)(b) of the GDPR.

In addition, the ICO found that Tuckers failed to ensure appropriate security by encryption of personal data, where it stored archive bundles in unencrypted and plain text format, resulting in a failure to protect against unauthorised and unlawful processing of its personal data in violation of Articles 5(1)(f) and 32(1)(a) of the GDPR.

As a result, the ICO considered it appropriate, on the basis that the contraventions were sufficiently serious, to issue a penalty of £98,000.

Outcomes

Moreover, in addition to issuing the penalty, the ICO also imposed corrective measures. Finally, the ICO clarified that Tuckers is entitled to the right of appeal to the First-tier Tribunal within 28 days of the date of the penalty notice.

You can read the press release here and the decision here.