The UK’s Information Commissioner’s Office fined Merseyside-based DPP Law Ltd (DPP) £60,000 following a cyber attack that led to the publication of highly sensitive and confidential personal information on the dark web.
The Commissioner found that the firm has failed to implement appropriate measures to ensure the security of personal information held electronically. This failure enabled cyber hackers to gain access to DPP’s network via an infrequently used administrator account that lacked multi-factor authentication (MFA) and steal large volumes of data.
“Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident,” said Andy Curry, Director of Enforcement and Investigations (Interim).
“Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences,” he emphasised.
DPP specialises in law relating to crime, military, family fraud, sexual offences, and actions against the police.
