We have all worried about leaving a bundle on the train. Unfortunately for Tuckers, their worry was far larger as thousands of files in court bundles were accessed electronically and some ended up on the dark web published by criminal hackers. This resulted in the Information Commissioner’s Office (“ICO”) issuing a fine to Tuckers Solicitors of £98,000 for a breach of Article 5(1)(f) of the GDPR, i.e. a failure to process data in a manner that ensures appropriate security of the personal data.
The ICO took the view that the breach occurred over a period of 2 years and 3 months, from the implementation of the GDPR on 25 May 2018, to 24 August 2020. During this period Tuckers failed to implement processes to ensure the security of personal data.
As a result of a ransomware attack which occurred on 24 August 2020, Tuckers suffered a personal data breach that resulted in the encryption via ransomware of 972,191 files. Of these, 24,712 files related to court bundles, which contained a wide range of personal data, and 60 of these bundles – involving both civil and criminal cases - were then exfiltrated and sold on the dark web by the attacker. Amongst these exfiltrated bundles, of particular concern was special personal data relating to a prisoner’s child. Given the specific protection the GDPR affords children (see Recital 38) the ICO found that the child’s privacy had been breached with intimate details of their family life published online.
The ICO found that Tuckers had:
- failed to implement multi-factor authentication (MFA) despite being advised in 2016 that MFA should be implemented and in light of the additional guidance in 2018 from National Cyber Security Centre and the Solicitors Regulatory Authority on this matter;
- not applied a high-risk security patch until 4 months after it was released, despite such patch being listed as ‘critical’ and being released free of charge;
- failed to follow the SRA Code of Conduct for Firms; and
- stored data in respect of court bundles after its 7-year retention period expired.
In addition the ICO noted that criminal convictions and medical files were amongst the breached data.
Whilst the fine was large, there were also a number of mitigating factors that the ICO considered in its decision. These included Tucker’s early engagement with the ICO, proactivity in addressing the security concerns, subsequent improvements in training and the conducting of regular penetration testing of its systems.
It is also worth noting that notification of the data breach to the data subjects was considered as a mitigating factor. Notification in cases resulting in a high risk to data subjects should be made without undue delay (Article 34 GDPR), and Tuckers used social media and a website notification to ensure that data subjects were alerted to the breach. Given that the ICO’s starting point for the fine was 3.25% of Tuckers’ annual turnover, mitigating factors had a major impact in reducing the fine to £98,000.
Whilst there are a number of mitigating factors that can be taken into account by the ICO, prompt notification to data subjects is an easy process that can be implemented by an organisation to show that it takes data protection seriously. An example of other mitigating factors that Tuckers took can be found at paragraph 107 of the monetary penalty notice here.
Not only is the potential reputational damage associated with personal data breaches huge, but fines can also be punishing. Organisations like the National Cyber Security Centre provide advice for organisations on how to protect themselves from cyber-attacks, and in the worst case scenario, organisations should work with the authorities as promptly as possible.
“The Commissioner considers that this personal data breach occurred due to a criminal and malicious cyber-attack that exploited negligent security practices."