United Kingdom (and EU regulation)

The UK’s ICO issues a monetary penalty notice to professional services firm after ransomware attack

By Tim Jones and Steven Hadwin (UK) on March 16, 2022 Posted in Cybersecurity, United Kingdom

On 10 March 2022, the Information Commissioner’s Office (ICO) issued a monetary penalty notice to a professional services firm (the Firm) to the tune of £98,000 for a breach of Article 5(1)(f) of the General Data Protection Regulation (GDPR).

The Firm was the victim of a ransomware attack which it first became aware of on 24 August 2020, and reported to the ICO on 25 August 2020. The ICO considered that the Firm’s failure to implement appropriate technical and organisational measures over some or all of the relevant period rendered it vulnerable to the attack which resulted in the encryption of 972,191 files, of which 24,712 related to court bundles. Of the encrypted files, 60 court bundles were exfiltrated by the attackers and the data within those bundles was published on the dark web. These bundles contained both personal data and special category data including information on medical files, witness statements and the names of victims and witnesses.

In particular, the ICO identified three areas where the Firm failed to demonstrate compliance with Article 5(1)(f) GDPR:

Lack of multi-factor authentication (MFA)

The Firm did not use MFA for remote access to its system. The ICO stated that this practice has been recommended since 2018, citing guidance published by the Solicitors Regulation Authority in 2018 around the use of MFA where possible.
The ICO said that the use of MFA was a ‘comparably low-cost preventative measure which the Firm should have implemented’, which would have strengthened the protection of unauthorised access to its system. Without the use of MFA, the attackers could enter the network by exploiting a single username and password.

Patch management

The Firm was provided a patch to fix certain known vulnerabilities. The patch was released on 19 January 2020 however the Firm installed the patch in June 2020, over four months after the patch was released. Given the highly sensitive personal data it stored and the relatively low costs of patch implementation, the ICO stated that the Firm should not have continued the processing of personal data with known critical vulnerabilities.

Failure to encrypt personal data

The Firm had not encrypted its personal data stored on an archive server which was subject to the attack. The ICO said that, even though encryption may not have prevented the ransomware attack, it would have mitigated the risks posed to the affected data subjects.
The ICO considered that due to the nature of the personal data the Firm was processing, and considering the costs of implementation, the Firm should not have stored these bundles in ‘unencrypted, plain text format’.

This is the first monetary penalty notice to be issued to a professional services firm for breach of Article 5(1)(f) in the wake of a ransomware attack. The decision reinforces the importance the ICO places on remote access security, as well as the protection of personal data at rest in the event that a company’s perimeter is breached.

For more information on the ICO’s decision, please read the full monetary penalty notice issued here.

The authors would like to thank Elizabeth Yong for her assistance with this blog post.