A legal practice in the UK has been fined £98,000 after a security incident lead to hackers stealing sensitive court case information.

The group in question, Tuckers Solicitors, had a cybersecurity policy that failed to comply with GDPR requirements. Because of this, criminals were able to breach the business’ network and encrypt 24,711 “court bundled” files, of which, 60 were published via an underground market. The data held within these court files contained personal information including medical files, witness statements, addresses of victims and witnesses, along with individual’s alleged crimes.

It’s possible that hackers were able to access records due to an unpatched and further exploited vulnerability in the network.

The Information Commissioner’s Office (ICO) issued a monetary penalty notice, and highlighted the lack of multi-factor authentication (MFA) for remote access. ICO also noted, in particular, the firm’s failure to patch a vulnerability that had been exploited and warned of by the National Cyber Security Centre (NCSC). Encryption of the sensitive information was also not properly accounted for on the archive server.

If network issues are not caught and dealt with in real time, it’s much easier for malicious activity to occur, and for more damage to be done. Organizations need advanced threat detection capabilities in their IT infrastructure. This could be the difference between a standalone attack and a full on data breach.

Sign up to our mailing list to receive more IT related educational information:

You may unsubscribe from our newsletter at any time.

Leave a Reply

Your email address will not be published.