ICO (UK) - Levales Solicitors LLP: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=Levales Solicitors LLP |ECLI= |Original_Source_Name_1=UK ICO |Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/reprimands/4031328/levales-reprimand.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Origina...")
 
m (Spelling)
Line 65: Line 65:
}}
}}


The UK DPA reprimanded a law firm for infringing Articles 32(1)(b) and 32(1)(d) UK GDPR because it suffered a data preach due to inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) employed in its systems.
The DPA reprimanded a law firm for infringing [[Article 32 GDPR|Articles 32(1)(b)]] and 32(1)(d) UK GDPR for a data breach caused by inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) employed in its systems.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Levales Solicitors LLP, a law firm specializing in criminal and military law, experienced a data breach when an unknown threat actor gained access to their secure cloud-based server using legitimate credentials. The breach affected 8,234 UK data subjects, with 863 deemed at 'high-risk' due to the sensitive nature of the data involved. The compromised information included special categories of personal data including “criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’”, and was later published on the dark web.  The breach occurred due to inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) for the affected domain account and insufficient oversight of their outsourced IT management.
Levales Solicitors LLP, a law firm specializing in criminal and military law, caused a data breach when an unknown threat actor gained access to their secure cloud-based server using legitimate credentials. The breach affected 8,234 UK data subjects, with 863 deemed at 'high-risk' due to the sensitive nature of the data involved.  
 
The compromised information included special categories of personal data including “criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’”, and was later published on the dark web.  The breach occurred due to inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) for the affected domain account and insufficient oversight of their outsourced IT management.


=== Holding ===
=== Holding ===
The Information Commissioner's Office (ICO) issued a reprimand to Levales Solicitors LLP for infringing Article 32(1)(b) and 32(1)(d) UK GDPR. The ICO found that Levales failed to ensure the confidentiality of its processing systems and did not implement appropriate technical and organizational measures to secure their systems.  
The Information Commissioner's Office (ICO) issued a reprimand to Levales Solicitors LLP for infringing Article 32(1)(b) and 32(1)(d) UK GDPR. The ICO found that Levales failed to ensure the confidentiality of its processing systems and did not implement appropriate technical and organizational measures to secure their systems.  
The ICO also took into account the remedial steps taken by Levales, including the introduction of MFA, updated service contracts with third-party providers, and a review of existing systems to prioritize security upgrades.
The ICO also took into account the remedial steps taken by Levales, including the introduction of MFA, updated service contracts with third-party providers, and a review of existing systems to prioritize security upgrades.



Revision as of 06:41, 16 October 2024

ICO - Levales Solicitors LLP
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 32(1)(b) GDPR
Article 32(1)(d) GDPR
UK GDPR
Type: Other
Outcome: n/a
Started:
Decided:
Published:
Fine: n/a
Parties: Levales Solicitors LLP
National Case Number/Name: Levales Solicitors LLP
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: UK ICO (in EN)
Initial Contributor: Gauravpathak

The DPA reprimanded a law firm for infringing Articles 32(1)(b) and 32(1)(d) UK GDPR for a data breach caused by inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) employed in its systems.

English Summary

Facts

Levales Solicitors LLP, a law firm specializing in criminal and military law, caused a data breach when an unknown threat actor gained access to their secure cloud-based server using legitimate credentials. The breach affected 8,234 UK data subjects, with 863 deemed at 'high-risk' due to the sensitive nature of the data involved.

The compromised information included special categories of personal data including “criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’”, and was later published on the dark web. The breach occurred due to inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) for the affected domain account and insufficient oversight of their outsourced IT management.

Holding

The Information Commissioner's Office (ICO) issued a reprimand to Levales Solicitors LLP for infringing Article 32(1)(b) and 32(1)(d) UK GDPR. The ICO found that Levales failed to ensure the confidentiality of its processing systems and did not implement appropriate technical and organizational measures to secure their systems.

The ICO also took into account the remedial steps taken by Levales, including the introduction of MFA, updated service contracts with third-party providers, and a review of existing systems to prioritize security upgrades.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

The ICO existstoempoweryou throughinformation.

                                       Wycliffe House,WaterLane, Wilmslow,Cheshire, SK95AF
                                       T.03031231113
                                       ico.org.uk



        DATA PROTECTION ACT 2018 AND UK GENERAL DATA
                        PROTECTION REGULATION

                                REPRIMAND

To: Levales Solicitors LLP

Of: Unit 1, 378-380 Vale Road, Ash Vale, Aldershot, Hampshire,

GU12 5NJ

The Information Commissioner (the Commissioner) issues a reprimand to
Levales Solicitors LLP in accordance with Article 58(2)(b) of the UK
General Data Protection Regulation (GDPR) in respect of certain

infringements of the UK GDPR.

   1. Summary of Incident

   1.1.      Levales Solicitors LLP is a law firm, founded in 2010,

       specialising in criminal and military law.

   1.2.      The breach occurred after an unknown threat actor gained

       access to the secure cloud based server via legitimate credentials,
       later publishing the data on the dark web.


   1.3.      In total, 8,234 UK data subjects were affected, of which 863
       were deemed to be at ‘high-risk’ of harm or detriment due to the
       special category of data including criminal data pertaining to

       ‘homicide, terrorism, sexual offences, offences involving children or
       particularly vulnerable adults’. The full list of affected data involved
       includes:


         •   Name
         •   Data of Birth

         •   Address
         •   National Insurance Number
         •   Prisoner Number

         •   Health Status
         •   Details of Criminal allegations not charged
         •   Details of Criminal allegations prosecuted

         •   Outcomes of investigations and prosecutions
         •   Details of complainants and victims both adult and children
         •   Previous Convictions

         •   Legally privileged information and advice                                       The ICO existstoempoweryou throughinformation.

                                       Wycliffe House,WaterLane, Wilmslow,Cheshire, SK95AF
                                       T.03031231113
                                       ico.org.uk



2. The reprimand


   2.1.      The Commissioner has decided to issue a reprimand to
       Levales Solicitors LLP in respect of the following infringements of
       the UK GDPR:


   •  Article 32(1)(b) which states organisations should be able to
      “ensure the ongoing confidentiality, integrity, availability and

      resilience of processing systems and services.”

   •  Article 32(1)(d) which states “Taking into account the state of the

      art, the costs of implementation and the nature, scope, context and
      purposes of processing as well as the risk of varying likelihood and
      severity for the rights and freedoms of natural persons, the

      controller and the processor shall implement appropriate technical
      and organisational measures to ensure a level of security
      appropriate to the risk, including inter alia as appropriate”


   2.2.      Our investigation found infringements in relation to the
       security requirements of the UK GDPR. The reasons for the

       Commissioner’s findings are set out below.

3. Article 32(1)(b)


   •  Levales Solicitors LLP were not ensuring the ongoing confidentiality
      of it’s processing systems as per Article 32(1)(b).


   3.1.      Levales Solicitors LLP did not have Multi-Factor Authentication
       (MFA) in place for the affected domain account. Levales relied on

       computer prompts for the management and strength of password
       and did not have a password policy in place at the time of the
       incident. The threat actor was able to gain access to the

       administrator level account via compromised account credentials.
       Levales Solicitors LLP have not been able to confirm how these
       were obtained.


   3.2.      MFA is a basic measure we would expect to see organisations
       processing personal data implement, regardless of risk of                                       The ICO existstoempoweryou throughinformation.

                                       Wycliffe House,WaterLane, Wilmslow,Cheshire, SK95AF
                                       T.03031231113
                                       ico.org.uk



                                                              1           2
       processing. Guidance was available on both the ICO and NCSC ’s
       websites highlighting the importance of using MFA when storing

       sensitive data or data that could cause significant harm if
       compromised.


4. Article 32(1)(d)


   •  Levales Solicitors LLP did not implement appropriate organisational
      measures as per Article 32(1)(d).


   4.1.      Levales Solicitors LLP did not implement appropriate technical
       and organisational measures to ensure their systems were secure.

       Levales outsourced their IT management to a third party and were
       unaware of security measures in place at the time of the incident,

       such as detection, prevention, and monitoring. Levales had not
       reviewed if the technical measures associated with the contract,

       were appropriate for the personal data they were processing since
       the contract was first signed in 2012.


   4.2.      When using a managed service provider, the ICO would
       expect that contracts are reviewed and that the responsibilities

       within the contract are fully understood to ensure the security of
       the data being processed is upheld. The NCSC provides a 12 step

       guide, which highlights that any vulnerabilities within the contract
       between provider and controller, with regards to security, can be
       exploited easily by threat actors.


5. Remedial steps taken by Levales Solicitors LLP


   5.1.      The Commissioner has also considered and welcomes the
       remedial steps taken by Levales Solicitors LLP in the light of this

       incident. In particular the introduction of MFA for all user accounts,
       updated service contracts with third party providers, and a

       complete review of their existing systems to prioritise work and
       upgrades to the firewall.





1https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide-
to-data-security/passwords-in-online-services/
2https://www.ncsc.gov.uk/collection/zero-trust-architecture/authenticate-and-authorise
3https://www.ncsc.gov.uk/collection/supply-chain-security                                              The ICO existstoempoweryou throughinformation.

                                              Wycliffe House,WaterLane, Wilmslow,Cheshire, SK95AF
                                              T.03031231113
                                              ico.org.uk





6. Decision to issue a reprimand


    6.1.       Taking into account all of the circumstances of this case,
        including the remedial steps taken, the Commissioner has decided

        to issue a reprimand to Levales Solicitors LLP in relation to the
        infringements of Article 32(1)(b) and Article 32(1)(d) of the UK
                                 4
        GDPR set out above.
















































4
  Levales Solicitors LLP has had an opportunity to make representations to the
Commissioner in response to the Notice of Intent regarding this reprimand. Levales
Solicitors LLP did not provide a response.