UK Law Firm Fined £60,000 for Data Breach Mismanagement

Overview

In legal practice, trust, confidentiality, and compliance are fundamental. When a cyber incident occurs, firms must act fast—not just to contain the threat, but to stay aligned with regulatory obligations. Failure to do so can result in lasting reputational damage and financial penalties.

What Happened

In June 2022, DPP Law Ltd, a UK firm dealing in criminal defense and family law, fell victim to a cyberattack. Threat actors exploited an outdated admin account without multi-factor authentication, gaining access to a legacy system containing 32.4GB of sensitive data—including police bodycam footage and confidential client records.

Worse still, DPP Law failed to report the breach within the mandatory 72-hour window under UK GDPR. It took 43 days and a tip-off from the National Crime Agency—after the data was found on the dark web—for the breach to be acknowledged.

What They Should Have Done

When a breach is discovered or even suspected, the following steps are critical:
◾ Immediately isolate affected systems to contain further access or data exfiltration.
◾ Conduct a preliminary assessment to understand the scope, data involved, and potential impact.
◾ Notify the ICO within 72 hours, as required under the UK GDPR.
◾ Inform affected individuals, especially if there is a high risk to their rights and freedoms.
◾ Engage cybersecurity and legal experts to manage response, evidence collection, and compliance.
◾ Begin forensic investigation and recovery efforts to prevent recurrence.

Why Law Firms Are Prime Targets

Legal organizations are especially attractive to cybercriminals due to:
◾ High-value, confidential data (client records, litigation strategies, evidence).
◾ Underinvestment in cybersecurity compared to other high-risk industries.
◾ Tight deadlines and pressure, making them more vulnerable to phishing and ransomware.
◾ Supply chain links to courts, police, and corporate clients.

Repercussions

The Information Commissioner’s Office (ICO) fined DPP Law £60,000 for inadequate cybersecurity controls and delayed reporting. The firm is appealing, but the consequences go beyond monetary fines—client trust and professional reputation are on the line.

Conclusion

Cybersecurity isn’t just an IT issue—it's a business-critical priority. Law firms must protect their clients, reputation, and operations with proactive measures and well-tested incident response plans.

Stay safe, stay ahead!