Cyber-crime has grown exponentially in recent years, with the NCSC publishing a joint advisory report on 9th February 2022 showing a global trend of increased threats caused by ransomware in 2021. They highlight the use of more sophisticated tactics and techniques being deployed by cyber criminals targeting top UK sectors including the legal profession. This blog explores different strategies used for securing data in light of a recent fine imposed on a solicitor’s firm which became victim of a ransomware attack in 2020.
On 10th March 2022, the Information Commissioner’s Office (ICO) published its monetary penalty notice to the amount of £98,000 against Tuckers Solicitors LLP, a criminal defence firm specialising in criminal law, civil liberties and regulatory proceedings. The fine was imposed after the firm had been on the receiving end of a malicious data breach by a criminal hacker resulting in the encryption of 972,191 individual files containing personal and special category data. Most worryingly, 60 of those files, and the personal data within them, were exfiltrated and published on the dark web marketplaces.
The firm did absolutely the right thing and reported the matter to the ICO (and the SRA). Following its investigation, the ICO found that the firm had failed to implement appropriate technical and organisational measures to secure its personal data, rendering it vulnerable to the attack.
The key findings were:
- Delay in patch management
- Failure to encrypt personal data
- Lack of multi-factor authentication
Whilst the main failures appear at first glance to be technical in nature, this blog breaks down the main ICO findings and explores how the interplay of technical and organisational measures work to support a strong data privacy programme.
- Delay in applying a patch
In its report, the ICO found that Tuckers Solicitors applied a free software patch 5 months after its release in January 2020. Whilst it was not confirmed the data breach happened as a result of this delay, it opened the company to a vulnerability known to have been exploited by malicious attackers. The NCSC had published an alert and recommendations to install updates to software as soon as possible. In its own GDPR & Data Protection Policy, Tuckers Solicitors LLP stated updates would be conducted “on a regular basis to reduce the risk presented by security vulnerabilities”.
Data protection policies are widely endorsed by regulators and privacy advocates as a useful tool in an organisation’s data protection strategy. The policy sets out the position and commitment towards securing personal data, outlines the roles and responsibilities and documents incident response procedures.
Unfortunately though, policies are too often used as a tick box exercise to demonstrate compliance against the GDPR accountability requirements. They can easily be rendered meaningless if the procedures are not embedded into an organisation’s operation and supported through regular audits, reviews and continuous monitoring.
A way to mitigate this risk and minimise the chance of a hack causing such serious impact is to ensure that roles and responsibilities are assigned, and clear processes and systems are in place to monitor emerging risks identified by key data privacy and security authorities such as the NCSC and the ICO, as well as ensuring software updates are completed without delay.
When considering the penalties for a data breach, the regulator will take into account the “nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”.
Given the nature of the work in delivering legal services, it is more likely that special category data and criminal offence data is being processed and therefore a higher level of security is required. The SRA frequently feature Information and Cyber Security in their annual Risk Outlook highlighting an increased risk of legal firms being the targets of a cyber-attack. Equally the BSB’s latest Risk Outlook also highlights this risk and goes on to state “Our supervision of chambers has found that “dedicated IT resources and specialist information risk management expertise are rarely found within chambers themselves”. This is partly a result of the “structure of the Bar, with the relatively small size of many chambers”.
- Failure to encrypt personal data
Under Article 32 of the GDPR, encryption along with pseudonymisation is expressly stated as a control that should be considered during the design of security systems. It is widely accepted by the cyber security industry as an appropriate security measure. Although it does not defend against unauthorised loss or destruction of data, it does prevent the access of personal data in the event of a data breach upholding the confidentiality requirements and provides little value for the attacker.
In the case of the Tuckers Solicitors LLP data breach, whilst most files were encrypted, the attacker was able to exfiltrate archived bundles containing personal and sensitive data in unencrypted, plain text format which were subsequently put onto underground marketplaces. The ICO points out that there are free, open-source encryption solutions widely available, or specific court-bundling software with encryption capabilities which can be purchased commercially and inexpensively.
When referencing “state of the art” security measures, industry best practice should be taken into consideration and the strength of the mechanism should reflect the category or classification of the information and the risk to the data subjects should that data be released. It is therefore important that companies know what data it processes, where it’s stored, and the security measures placed upon it. As well as being a requirement under GDPR, keeping a record of processing activities is a practical and useful tool in being able to monitor the data that is processed and assess the suitability of measures in place to protect it, as well as the wider GDPR obligations such as lawful grounds of processing and international transfer rules. This record should not be static, it should be revised when changes to processing arise, this can be built into the process of audits or scheduled in at regular interviews for review and any areas of concerns should be addressed in a timely manner. The ICO provide a lot of useful tools and guidance to support organisations in complying with their regulatory obligations.
- Lack of multi-factor authentication (MFA)
Multi-factor authentication is highly regarded by security advocates as a technical measure to ensure that there is a higher degree of certainty when authenticating a user accessing information. It is now considered as best practice to use MFA for most systems, particularly when remote access or higher risk processing is required.
Despite advising the use of MFA within their GDPR & Data Protection policy, Tuckers Solicitors LLP did not use it for remote access to the system involved in the breach. This oversight meant that access to the network was allowed through a single username and password. Subsequently the attacker was able to create its own user account and carry out the encryption and exfiltration of files. The ICO regards MFA as a low-cost preventative measure which substantially increases the difficulty entering a network.
As part of a layered approach to access management, organisations should also consider implementing the principle of ‘least privilege’ which limits user access rights to only what is required to do their jobs. In the event that a hacker has access to a user’s account, they are restricted to the information and permissions available on the system.
The ICO found that Tucker’s Solicitors LLP failed to properly implement a number of technical measures which would secure the personal data. In all three scenarios they added that the costs of patch management, encryption and multi-factor authentication were widely available, inexpensive, but effective measures that should have been in place at the time of the breach.
Data breaches can provide lucrative rewards for criminal hackers and the legal sector is known to be a key target, they constantly look to benefit from weaknesses in systems which emphasises the need for enhanced vigilance and awareness in an ever-changing landscape of cybercrime.
The measures Tuckers Solicitors LLP used are common methods of preventative security, however without the appropriate level of monitoring and enforcement, they created opportunities for vulnerabilities to be exploited. Reliance is often put on the technical measures that are in place, but organisations should not become complacent about the benefits that robust organisational measures can have, which includes the reassurance that regular reviews and monitoring of data security processes and procedures provide.
As an organisation we understand there is a wealth of information to navigate, so we have put together a useful checklist to assess your own data protection measures and help to enhance your security defences, which can be downloaded by completing the form below.
If you would like any further information or to discuss your data protection strategy, processes and systems, please feel free to contact us at firstname.lastname@example.org or on 0121 288 5227.
Sei-Ting Leung, Compliance Consultant