Merseyside-based law firm DPP Law has been fined Rs. 63,00,000 by the UK’s Information Commissioner’s Office (ICO) following a serious cyberattack that led to the exposure of highly sensitive client information on the dark web.
The ICO’s investigation found that DPP Law failed to implement adequate security measures—most notably, the absence of multi-factor authentication on one of its critical databases. This oversight allowed cybercriminals to exploit vulnerabilities and gain unauthorized access to the firm’s internal network, leading to a significant data breach.
Specializing in legal matters involving crime, family disputes, fraud, military offenses, and cases against law enforcement, DPP Law handles exceptionally sensitive and legally privileged information. The breach involved over 32GB of data containing identifiable personal details, which were later discovered to have been published on the dark web.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
The cyberattack, disrupted the firm’s IT systems for over a week. A third-party forensic investigation concluded that the breach stemmed from a brute-force attack on an administrator account linked to a legacy case management system. Once inside, the attackers moved laterally through the network to exfiltrate the data.
Alarmingly, DPP failed to recognize the breach as a notifiable incident and delayed reporting it to the ICO for 43 days after being informed by the National Crime Agency (NCA).
Andy Curry, the ICO’s interim director of enforcement and investigations, stated how his investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access. He said that this penalty reinforces the legal obligation to implement robust cybersecurity measures and to report breaches promptly.
He added that data protection is not optional. Organisations must take seriously the responsibility entrusted to them by individuals whose data they hold.
The ICO’s decision sends a clear message: failure to safeguard sensitive information not only invites legal scrutiny but also brings significant financial and reputational consequences.