ICO (UK) - Levales Solicitors LLP: Difference between revisions
Gauravpathak (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=Levales Solicitors LLP |ECLI= |Original_Source_Name_1=UK ICO |Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/reprimands/4031328/levales-reprimand.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Origina...") |
m (Date added) |
||
(One intermediate revision by the same user not shown) | |||
Line 23: | Line 23: | ||
|Date_Started= | |Date_Started= | ||
|Date_Decided= | |Date_Decided= | ||
|Date_Published= | |Date_Published=11.10.2024 | ||
|Year= | |Year= | ||
|Fine= | |Fine= | ||
Line 65: | Line 65: | ||
}} | }} | ||
The | The DPA reprimanded a law firm for infringing [[Article 32 GDPR|Articles 32(1)(b)]] and 32(1)(d) UK GDPR for a data breach caused by inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) employed in its systems. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
Levales Solicitors LLP, a law firm specializing in criminal and military law, | Levales Solicitors LLP, a law firm specializing in criminal and military law, caused a data breach when an unknown threat actor gained access to their secure cloud-based server using legitimate credentials. The breach affected 8,234 UK data subjects, with 863 deemed at 'high-risk' due to the sensitive nature of the data involved. | ||
The compromised information included special categories of personal data including “criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’”, and was later published on the dark web. The breach occurred due to inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) for the affected domain account and insufficient oversight of their outsourced IT management. | |||
=== Holding === | === Holding === | ||
The Information Commissioner's Office (ICO) issued a reprimand to Levales Solicitors LLP for infringing Article 32(1)(b) and 32(1)(d) UK GDPR. The ICO found that Levales failed to ensure the confidentiality of its processing systems and did not implement appropriate technical and organizational measures to secure their systems. | The Information Commissioner's Office (ICO) issued a reprimand to Levales Solicitors LLP for infringing Article 32(1)(b) and 32(1)(d) UK GDPR. The ICO found that Levales failed to ensure the confidentiality of its processing systems and did not implement appropriate technical and organizational measures to secure their systems. | ||
The ICO also took into account the remedial steps taken by Levales, including the introduction of MFA, updated service contracts with third-party providers, and a review of existing systems to prioritize security upgrades. | The ICO also took into account the remedial steps taken by Levales, including the introduction of MFA, updated service contracts with third-party providers, and a review of existing systems to prioritize security upgrades. | ||
Latest revision as of 06:43, 16 October 2024
ICO - Levales Solicitors LLP | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 32(1)(b) GDPR Article 32(1)(d) GDPR UK GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | 11.10.2024 |
Fine: | n/a |
Parties: | Levales Solicitors LLP |
National Case Number/Name: | Levales Solicitors LLP |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | UK ICO (in EN) |
Initial Contributor: | Gauravpathak |
The DPA reprimanded a law firm for infringing Articles 32(1)(b) and 32(1)(d) UK GDPR for a data breach caused by inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) employed in its systems.
English Summary
Facts
Levales Solicitors LLP, a law firm specializing in criminal and military law, caused a data breach when an unknown threat actor gained access to their secure cloud-based server using legitimate credentials. The breach affected 8,234 UK data subjects, with 863 deemed at 'high-risk' due to the sensitive nature of the data involved.
The compromised information included special categories of personal data including “criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’”, and was later published on the dark web. The breach occurred due to inadequate security measures, particularly the lack of Multi-Factor Authentication (MFA) for the affected domain account and insufficient oversight of their outsourced IT management.
Holding
The Information Commissioner's Office (ICO) issued a reprimand to Levales Solicitors LLP for infringing Article 32(1)(b) and 32(1)(d) UK GDPR. The ICO found that Levales failed to ensure the confidentiality of its processing systems and did not implement appropriate technical and organizational measures to secure their systems.
The ICO also took into account the remedial steps taken by Levales, including the introduction of MFA, updated service contracts with third-party providers, and a review of existing systems to prioritize security upgrades.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
The ICO existstoempoweryou throughinformation. Wycliffe House,WaterLane, Wilmslow,Cheshire, SK95AF T.03031231113 ico.org.uk DATA PROTECTION ACT 2018 AND UK GENERAL DATA PROTECTION REGULATION REPRIMAND To: Levales Solicitors LLP Of: Unit 1, 378-380 Vale Road, Ash Vale, Aldershot, Hampshire, GU12 5NJ The Information Commissioner (the Commissioner) issues a reprimand to Levales Solicitors LLP in accordance with Article 58(2)(b) of the UK General Data Protection Regulation (GDPR) in respect of certain infringements of the UK GDPR. 1. Summary of Incident 1.1. Levales Solicitors LLP is a law firm, founded in 2010, specialising in criminal and military law. 1.2. The breach occurred after an unknown threat actor gained access to the secure cloud based server via legitimate credentials, later publishing the data on the dark web. 1.3. In total, 8,234 UK data subjects were affected, of which 863 were deemed to be at ‘high-risk’ of harm or detriment due to the special category of data including criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’. The full list of affected data involved includes: • Name • Data of Birth • Address • National Insurance Number • Prisoner Number • Health Status • Details of Criminal allegations not charged • Details of Criminal allegations prosecuted • Outcomes of investigations and prosecutions • Details of complainants and victims both adult and children • Previous Convictions • Legally privileged information and advice The ICO existstoempoweryou throughinformation. Wycliffe House,WaterLane, Wilmslow,Cheshire, SK95AF T.03031231113 ico.org.uk 2. The reprimand 2.1. The Commissioner has decided to issue a reprimand to Levales Solicitors LLP in respect of the following infringements of the UK GDPR: • Article 32(1)(b) which states organisations should be able to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” • Article 32(1)(d) which states “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate” 2.2. Our investigation found infringements in relation to the security requirements of the UK GDPR. The reasons for the Commissioner’s findings are set out below. 3. Article 32(1)(b) • Levales Solicitors LLP were not ensuring the ongoing confidentiality of it’s processing systems as per Article 32(1)(b). 3.1. Levales Solicitors LLP did not have Multi-Factor Authentication (MFA) in place for the affected domain account. Levales relied on computer prompts for the management and strength of password and did not have a password policy in place at the time of the incident. The threat actor was able to gain access to the administrator level account via compromised account credentials. Levales Solicitors LLP have not been able to confirm how these were obtained. 3.2. MFA is a basic measure we would expect to see organisations processing personal data implement, regardless of risk of The ICO existstoempoweryou throughinformation. Wycliffe House,WaterLane, Wilmslow,Cheshire, SK95AF T.03031231113 ico.org.uk 1 2 processing. Guidance was available on both the ICO and NCSC ’s websites highlighting the importance of using MFA when storing sensitive data or data that could cause significant harm if compromised. 4. Article 32(1)(d) • Levales Solicitors LLP did not implement appropriate organisational measures as per Article 32(1)(d). 4.1. Levales Solicitors LLP did not implement appropriate technical and organisational measures to ensure their systems were secure. Levales outsourced their IT management to a third party and were unaware of security measures in place at the time of the incident, such as detection, prevention, and monitoring. Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012. 4.2. When using a managed service provider, the ICO would expect that contracts are reviewed and that the responsibilities within the contract are fully understood to ensure the security of the data being processed is upheld. The NCSC provides a 12 step guide, which highlights that any vulnerabilities within the contract between provider and controller, with regards to security, can be exploited easily by threat actors. 5. Remedial steps taken by Levales Solicitors LLP 5.1. The Commissioner has also considered and welcomes the remedial steps taken by Levales Solicitors LLP in the light of this incident. In particular the introduction of MFA for all user accounts, updated service contracts with third party providers, and a complete review of their existing systems to prioritise work and upgrades to the firewall. 1https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/a-guide- to-data-security/passwords-in-online-services/ 2https://www.ncsc.gov.uk/collection/zero-trust-architecture/authenticate-and-authorise 3https://www.ncsc.gov.uk/collection/supply-chain-security The ICO existstoempoweryou throughinformation. Wycliffe House,WaterLane, Wilmslow,Cheshire, SK95AF T.03031231113 ico.org.uk 6. Decision to issue a reprimand 6.1. Taking into account all of the circumstances of this case, including the remedial steps taken, the Commissioner has decided to issue a reprimand to Levales Solicitors LLP in relation to the infringements of Article 32(1)(b) and Article 32(1)(d) of the UK 4 GDPR set out above. 4 Levales Solicitors LLP has had an opportunity to make representations to the Commissioner in response to the Notice of Intent regarding this reprimand. Levales Solicitors LLP did not provide a response.