The data protection authority for the UK (ICO) has fined UK law firm Tuckers Solicitors LLP £98,000.
This is a fascinating case from the UK commissioner (on multiple fronts), as its’ reasoning for the penalty notice and fine found that “Tuckers failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
The ICO reported that in August 2020, Tuckers suffered a ransomware attack that resulted in a personal data breach.
The ICO ruled that Tuckers failed to implement the appropriate technical measures, leaving it vulnerable to an attack.
Tuckers is a data controller, and as part of their obligations, controllers are required to implement appropriate technical and organisational measures to ensure that their processing of personal data is secure and to enable them to demonstrate that their processing is secure.
The facts of this case are not only interesting but also a great warning and insight into how you should conduct your “appropriate technical and organisational measures”. Ransomware attacks are part of why we teach, train and raise awareness of cyber and information security.
Let me help to explain!
One of the consequences of this ransomware breach involved the exfiltration of data from their systems.
What is “data exfiltration”? Data exfiltration is the movement or, in this case, the unauthorised removal of data.
The vector or supposed method of how this happened was due to a patch that had not been applied to its’ system. The patch was released in January 2020 but was not applied until June 2020.
Tuckers were found to have failed a cyber essentials assessment prior to this and had not remediated the issues, so the ICO ruled. Tuckers had not acted appropriately.
If you thought that was the end of this technical tale of woe, read on brothers and sisters. For further to these findings, the ICO found Tuckers to have breached their own retention period of seven years, for which they were also penalised. The attacker also encrypted the backups of this system.
The National Cyber Security Centre have excellent guides, including the 10 Steps to Cyber Security – NCSC.GOV.UK, which we highly recommend and cover sound fundamental principles of how organisations can protect themselves.
Cyber essentials are a starting point, but ensuring you have appropriate technical measures to protect your organisation is vital.
Although interlinked with cyber security, data protection and information governance can also be a different skill set and a discussion point that we have covered in other articles. Still, a good Data Protection Officer understands both what the law requires and how to implement compliance to that law practically.
Need help with your data protection or cybersecurity, then please give us a call +(0)1344 307817 or email email@example.com