ICO (UK) - Tuckers Solicitors LLP: Difference between revisions

From GDPRhub
m (spacing changes)
(removed bullet points)
 
(One intermediate revision by one other user not shown)
Line 51: Line 51:
}}
}}


The UK DPA fined Tuckers Solicitors €116,784.27 (GBP 98,000) for contravening Article 5(1)(f) GDPR and [[Article 32 GDPR|Article 32 GDPR]] by "failing to process personal data in a manner that ensured appropriate security of the personal data.”
The UK DPA fined law firm €116,784.27 (GBP 98,000) for contravening [[Article 5 GDPR#1f|Article 5(1)(f)]] and [[Article 32 GDPR|Article 32 GDPR]] by "failing to process personal data in a manner that ensured appropriate security of the personal data.”


== English Summary ==
== English Summary ==
Line 67: Line 67:
The ICO held that “primary culpability for this incident rests with the attacker”. However, Tuckers violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] as its “technical and organisational measures areas were, over the relevant period, inadequate”. The same was based on the reading of [[Article 32 GDPR|Article 32 GDPR]] which mandates “a controller when implementing appropriate security measures to consider "the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons". The failure to comply with the same was evident from the following:
The ICO held that “primary culpability for this incident rests with the attacker”. However, Tuckers violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] as its “technical and organisational measures areas were, over the relevant period, inadequate”. The same was based on the reading of [[Article 32 GDPR|Article 32 GDPR]] which mandates “a controller when implementing appropriate security measures to consider "the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons". The failure to comply with the same was evident from the following:


Although Tucker’s GDPR and Data Protection Policy required two-factor authentication where available, it was not using the same for remote access. The ICO held that multi-factor authentication was a low-cost measure that “could have substantially supported Tuckers in preventing access to its network”. Accordingly, Tuckers failed to meet the requirements of [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]].
Although Tucker’s GDPR and Data Protection Policy required two-factor authentication where available, it was not using the same for remote access. The ICO held that multi-factor authentication was a low-cost measure that “could have substantially supported Tuckers in preventing access to its network”. Accordingly, Tuckers failed to meet the requirements of [[Article 32 GDPR#1b|Article 32(1)(b) GDPR]].


Tuckers installed the patch after months of its release, during which the attacker could have exploited the vulnerability.
Tuckers installed the patch after months of its release, during which the attacker could have exploited the vulnerability.


Considering the “highly sensitive nature of the personal data”, Tuckers “should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk”.
Considering the “highly sensitive nature of the personal data”, Tuckers “should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk”.


Tuckers did not encrypt the personal data, and accordingly “did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]”. Although the encryption would not have prevented the ransomware attack, it could have mitigated the damage.
Tuckers did not encrypt the personal data, and accordingly “did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]”. Although the encryption would not have prevented the ransomware attack, it could have mitigated the damage.


For determining the penalty amount, the ICO took note of the fact that “personal data included within the bundles included special category data, and related to individuals that were particularly vulnerable,  including children and individuals involved in significant crimes”. As per the ICO, “this type of personal data required particularly high levels of security to be applied to it”; and its breach made the infringement more severe. It also determined that Tuckers’ security practices were negligent. The fact that Tuckers informed the data subjects as per [[Article 34 GDPR|Article 34 GDPR]] and commissioned a third-party investigator was also considered by the ICO.  
For determining the penalty amount, the ICO took note of the fact that “personal data included within the bundles included special category data, and related to individuals that were particularly vulnerable,  including children and individuals involved in significant crimes”. As per the ICO, “this type of personal data required particularly high levels of security to be applied to it”; and its breach made the infringement more severe. It also determined that Tuckers’ security practices were negligent. The fact that Tuckers informed the data subjects as per [[Article 34 GDPR|Article 34 GDPR]] and commissioned a third-party investigator was also considered by the ICO.  

Latest revision as of 14:32, 16 March 2022

ICO (UK) - Tuckers Solicitors LLP
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started: 25.08.2020
Decided: 28.02.2022
Published: 10.03.2022
Fine: 98,000 GBP
Parties: Tuckers Solicitor LLP
National Case Number/Name: Tuckers Solicitors LLP
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: gauravpathak

The UK DPA fined law firm €116,784.27 (GBP 98,000) for contravening Article 5(1)(f) and Article 32 GDPR by "failing to process personal data in a manner that ensured appropriate security of the personal data.”

English Summary

Facts

Tuckers Solicitors (Tuckers) is a limited liability partnership of solicitors and is the data controller. On 24 August 2020, Tuckers became aware that its systems were hit by a ransomware attack. On 25 August 2020, Tuckers determined that the hit had resulted in a personal data breach. It notified the same to the UK DPA (ICO) on the same day and stated, “attack had resulted in the encryption of civil and criminal legal case bundles stored on an archive server. Backups were also encrypted by the attacker”. In total, “972,191 individual files were encrypted. Of these, 24,711 related to court bundles. Of the 24,711 court bundles, 60 were exfiltrated by the attacker” and published on the dark web. As per Tuckers, “the bundles included a comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals.”

Tuckers notified 53 parties (out of the 60) whose bundles were released, as per Article 34 GDPR.

On 27 August 2020, Tuckers appointed a third-party investigator to provide a 'Cyber Security Incident Response Report'. The investigators could not find the source of the attack but found “evidence of a known system vulnerability” that could have been used to access Tucker’s networks and exploit them. Subsequently, the investigators released a patch, which Tucker incorporated in its systems in June 2020.

In September 2020, Tuckers informed the ICO that it had “moved its servers to a new environment and the business was now back to running as normal, albeit without the restoration of the data that had been compromised by the attacker.”

Holding

The ICO held that “primary culpability for this incident rests with the attacker”. However, Tuckers violated Article 5(1)(f) GDPR as its “technical and organisational measures areas were, over the relevant period, inadequate”. The same was based on the reading of Article 32 GDPR which mandates “a controller when implementing appropriate security measures to consider "the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons". The failure to comply with the same was evident from the following:

Although Tucker’s GDPR and Data Protection Policy required two-factor authentication where available, it was not using the same for remote access. The ICO held that multi-factor authentication was a low-cost measure that “could have substantially supported Tuckers in preventing access to its network”. Accordingly, Tuckers failed to meet the requirements of Article 32(1)(b) GDPR.

Tuckers installed the patch after months of its release, during which the attacker could have exploited the vulnerability.

Considering the “highly sensitive nature of the personal data”, Tuckers “should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk”.

Tuckers did not encrypt the personal data, and accordingly “did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by Article 5(1)(f) GDPR”. Although the encryption would not have prevented the ransomware attack, it could have mitigated the damage.

For determining the penalty amount, the ICO took note of the fact that “personal data included within the bundles included special category data, and related to individuals that were particularly vulnerable, including children and individuals involved in significant crimes”. As per the ICO, “this type of personal data required particularly high levels of security to be applied to it”; and its breach made the infringement more severe. It also determined that Tuckers’ security practices were negligent. The fact that Tuckers informed the data subjects as per Article 34 GDPR and commissioned a third-party investigator was also considered by the ICO.

Tuckers' failure to follow the mandated security standards was considered to be an aggravating factor. Its subsequent actions of taking remedial steps including changes in the way it handles personal data were considered as mitigating factors.

The ICO used the Five-Step Process mandated in the Regulatory Action Policy (RAP) and fined Tuckers a total of €116,784.27 (GBP 98,000).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

                                                                •


                                                               ICO.
                                                               Information Commissioner's Office


           DATA PROTECTION     ACT 2018   (PART 6, SECTION    155)


      SUPERVISORY    POWERS OF THE INFORMATION         COMMISSIONER



                        MONETARY    PENALTY NOTICE


   TO:  Tuckers Solicitors LLP


   OF:  39 Warren Street, London, Wl T 6AF



1.   Tuckers Solicitors LLP ("Tuckersis a limited liability partnerwhich is
     authorised and regulated by the Solicitors Regulation Authority (No.

      592449) and registered in England and Wales (Companies House No.

     OC382272).


2.   The Information Commissioner ("the Commissioner") has decided to issue

     Tuckers with a Penalty Notice under section 155 of the Data Protection Act
      2018 ("the DPA"). This penalty notice imposes an administratfine on

     Tuckers, in accordance with the Commissioner'spowers under Article 83

     of the General Data Protection Regulation 2016 ("the GDPR")1. The

     amount of the monetary penalty is £98,000.


3.   The monetary penalty has been issued because of a contraventionby

     Tuckers of Articles 5(l)(of the GDPR. The Commissioner finds that,
     during the period of 25 May 2018 to 25 August 2020 ("the relevant

     period"), Tuckers failed to process personal data in a manner that ensured

     appropriate security of the personal data, including protection against
     unauthorised or unlawful processing and against accidental loss,


   The applicable legislation at the time of the Incident was the (EU) GDPR.The Commissioner was at the material
   time the supervisory authority in respect of the (EU)GDPR.

                                      1,                                                               •

                                                               ICO.
                                                               Information Commissioner's Office

     destruction or damage, using appropriate technical or organisational
     measures.


4.   Tuckers became aware on 24 August 2020 of a ransomware attack on its

     systems, and on 25 August 2020 determined that the attack had resulted
     in a personal data breach. The Commissioner considers that Tuckers'

     failure to implement appropriate technical and organisation measures over

     some or all of the relevant period rendered it vulnerable to the attack. The
     attack resulted in the encryption by the malicious and criminal actor (the

     "attacker")of 972,191 individual files, of which 24,712 related to court
     bundles; of the encrypted bundles, 60 were exfiltrated by the attacker

     and released in underground data marketplaces. The compromised files

     included both personal data and special category data.


5.   In addition, whilst not forming the basis of the substantive contravention,
     the Commissioner is also concerned by Tuckers compliance over the

     relevant period with Articles 5( 1)(e), 25, 32( l)(a) and 3GDPR.(b)


6.   In the interests of clarity, 25 May 2018 is the date when GDPR came into

     effect, and 25 August 2020 is the date on which Tuckers reported the
     breach to the Commissioner and shut down the relevant system,

     preventing any further possible authorised access.


7.   This Monetary Penalty Notice explainshe Commissioner's decision,

     including the Commissioner's reasons for issuing the monetary penalty
     and for the amount of the penalty.


   Legal framework   for this Monetary Penalty Notice



   Obligations of the controller


                                      2,                                                                   •


                                                                  Information Commissioner's Office

8.    Tuckers is a controller for the purposes of the GDPR and the DPA, because
      it determines the purposes and means of the processing of personal data

      held on its computer systems (GDPR Article 4(7)).


9.    'Personal data' is defined by Article 4(1) of the GDPR to mean:

                    information relating to an identified or identifiable natural
                    person ('data subject')an identifiable natural person is

                    one who can be identified,directly or indirectly, in

                    particular by reference to an identifier such as a name, an
                    identificationumber, location data, an online identifier or

                    to one or more factors specific to the physical,
                    physiological, genetic, mental, economic, cultural or social

                    identity of that natural person.


   10.  'Processing' is defined by Article 4(2) of the GDPR to mean:

                    any operation or set of operations which is performed on
                    personal data or on sets of personal data, whether or not

                    by automated means, such as collection, recording,

                    organisation, structuringstorage, adaptation or alteration,
                    retrieval, consultation, use, disclosure by transmission,

                    dissemination or otherwise making available, alignment or

                    combination, restriction, erasure or destruction.


   11.   Controllers are subject to various obligations in relation to the processing
         of personal data, as set out in the GDPR and the DPA. They are obliged

         by Article 5(2) to adhere to the data processing principles set out in

        Article5(1) of the GDPR.


   12.   In particular, controllers are required to implement appropriate technical
         and organisationalmeasures  to ensure that their processing of personal

         data is secure, ando enable them to demonstrate that their processing

                                        3,                                                                 •


                                                                IInformation Commissioner's Office

      is secure. Article S(l)(f("Integrity and Confidentiality")   stipulates
      that:

                  Personal data shall be [...] processed in a manner that

                  ensures appropriate security of the personal data, including
                 protection against unauthorised or unlawful processing and

                 against accidental loss, destruction or damage, using
                 appropriate technical or organisational measures



13.   Article S(l)(e)("Storage Limitation")  provides, in material part:


                  Personal Data shall be [...] kept in a form which permits
                 identificationof data subjects for no longer than is

                 necessary for the purposes for which the personal data are

                 processed [...]


14.   Article 25 ("Data protection by design and by default")    provides, in
      material part:



            1.    Taking into account the state of the art, the cost of
                  implementation  and the nature, scope, context and

                  purposes of processing as well as the risks of varying

                  likelihood and severity for rights and freedoms of natural
                  persons posed by the processing, the controller shall, both

                  at the time of the determinationof the means for
                  processing and at the time of the processing itself,

                  implement appropriate technical and organisational

                  measures, such as pseudonymisation,   which are designed
                  toimplement data-protection  principles, such as data

                  minimisation, in an effective manner and to integrate the
                  necessary safeguards into the processing in order to meet



                                      4,                                                               •

                                                              ICO.
                                                               InformationCommissioner' ffice

                 the requirements of this Regulation and protect the rights
                 of data subjects.




            2.   The controller shall implement appropriate technical and
                 organisational measures for ensuring that, by default, only

                 personal data which are necessary for each specific

                 purpose  of the processing are processed.That obligation
                 applies to the amount of personal data collected, the

                 extent of their processing, the period of their storage and
                 their accessibilityIn particular, such measures shall

                 ensure that by default personal data are not made

                 accessible without the individual's interventto an
                 indefinitenumber of natural persons


15.   Article 32 ("Security of processing") provides, in material part:



            1.   Taking into account the state of the art, the costs of
                 implementation  and the nature, scope, context and

                 purposes of processing as well as the risk of varying
                 likelihood and severity for the rights and freedoms of

                 natural persons, the controller and the processor shall
                 implement appropriate technical and organisational

                 measures to ensure a level of security appropriate to the

                 risk, including inter alia as appropriate:


                 (a) the pseudonymisation and encryption of personal data;


                 (b) the ability to ensure the ongoing confidentiality,

                       integrity, availability and resilience of processing
                       systems and services;

                                     5,                                                                 •


                                                                 ICO.
                                                                 Information Commissioner's Office

                  (c) [. ..]



                  (d) [...]


            2.    In assessing the appropriate level of security account shall

                  be taken in particular of the risks that are presented by
                  processing, in particular from accidental or unlawful

                  destruction, loss, alteration, unauthorised disclosure of, or

                  access to personal data transmitted, stored or otherwise
                  processed.


            3.    [...]



The Commissioner's     powers of enforcement


16.   The Commissioner is the supervisory authority  for the UK, as provided

      for by Article 51 of the GDPR.


17.   By Article 57(1) of the GDPR, it is the Commissioner's task to monitor

      and enforce the application of the GDPR.


18.   By Article 58(2)(d) of the GDPR, the Commissioner    has the power to
      notify controllers of alleged infringementof GDPR. By Article 58(2)(i)

      he has the power to impose an administrative   fine, in accordance with

      Article 83, in addition to or instead of the other correctivemeasures
      referred to in Article 58(2),depending on the circumstances    of each

      individual case.


19.   By Article  83(1),  the  Commissioner    is required  to  ensure   that

      administrative fines issued in accordance with Article 83 are effective,

                                      6,                                                        •

                                                        ICO.
                                                        Information Commissioner's Office
proportionate,and dissuasive in each individual case. Article 83(2) goes

on to provide that:


           When deciding whether to impose an administrativefine

           and deciding on the amount of the administrativfine in
           each individual case due regard shall be given to the

           following:


           (a) the nature, gravity and duration of the infringement
                 taking into account the nature scope or purpose of

                 the processing concerned as well as the number of

                 data subjects affected and the level of damage
                 suffered by them;


           (b) the intentional or negligent character of the

                 infringement;


           (c) any action taken by the controller or processor to
                 mitigate the damage suffered by data subjects;



           (d) the degree of responsibiliof the controller or
                 processor taking into account technical and

                 organisational measures implemented by them
                 pursuant to Articles 25 and 32;


           (e) any relevant previous infringementby the controller or

                 processor;


           (f) the degree of cooperation with the supervisory

                 authority,in order to remedy the infringemenand


                              7,                                                              •

                                                              ICO.
                                                              Information Commissioner's Office
                      mitigate the possible adverse effects of the

                      infringement;


                 (g) the categories of personal data affected by the

                      infringement;


                 (h) the manner in which the infringementbecame known to
                       the supervisory authorityin particular whether, and

                      if so to what extent, the controller or processor
                      notified the infringement;



                 (i)where measures referred to in Article 58(2) have
                      previously been ordered against the controller or

                      processor concerned with regard to the same
                      subject-matter, compliance with those measures;


                 (j)adherence to approved codes of conduct pursuant to

                      Article 40 or approved certification mechanisms
                      pursuant to Article 42; and



                 (k) any other aggravating or mitigatinfactor applicable to
                       the circumstances of the case, such as financial

                      benefits gained, or losses avoided, directly or
                      indirectly, from the infringement.


20.  The DPA contains enforcement provisions in Part 6 which are exercisable

      by the Commissioner.  Section 155 of the DPA ("Penalty    Notices")

      provides that:


           (1) If the Commissioner is satisfied that a person-


                                    8,                                                                •

                                                               ICO.
                                                               Information Commissioner's Office
                 (a) has failed or is failing as described in section 149(2) ...,


                       the Commissioner may, by written notice (a "penalty

                       notice"), require the person to pay to the
                       Commissioner an amount in sterling specified in the

                       notice.


           (2) Subject to subsection (4), when deciding whether to give a

                 penalty notice to a person and determining the amount of
                 the penalty, the Commissioner must have regard to the

                 following, so far as relevant-


                 (a) to the extent that the notice concerns a matter to which
                       the GDPR applies, the matters listed in Article 83(1)

                       and (2) of the GDPR.


21.   The failures identified in section 149(2) DPA 2018 are, insofar as relevant
      here:


           (2) The first type of failure is where a controller or processor has

                 failed,or is failing, to comply with any of the following-


                 (a) a provision of Chapter II of the GDPR or Chapter 2 of

                       Part 3 or Chapter 2 of Part 4 of this Act (principles of
                       processing);


                 ..,


                 (c) a provision of Articles 25 to 39 of the GDPR or section

                       64 or 65 of this Act (obligations of controllers and
                       processors)[...]

                                     9,                                                                    •


                                                                   ICO.
                                                                   Information Commissioner's Office



   22.   Schedule 16 includes provisions relevant to the impositionof penalties.

         Paragraph 2 makes provision for the issuing of notices of intent to impose
         a penalty, as follows:



                    "(1)  Before   giving  a  person   a  penalty   notice, the
                    Commissioner must, by written notice (a "notice of intent")

                    inform the person that the Commissioner intends to give a

                    penalty notice."


   The Commissioner's     Regulatory  Action Policy


23.   Pursuant to section 160(1) DPA, the Commissioner   published his

      Regulatory Action Policy ("RAP") on 7 November 2018.


24.   The process the Commissioner   will follow in deciding the appropriate

      amount of penalty to be imposed is described in the RAP from page 27
      onwards. In particular,the RAP sets out the following five-step process:



            a. Step 1. An 'initial elementremoving any financial gain from the
               breach.

            b. Step 2. Adding in an element to censure the breach based on its

               scale and   severity, taking  into  account  the  considerations
               identified at section 155(2) - (4) DPA.

            c. Step 3. Adding in an element to reflect any aggravatingfactors. A

               list of aggravatinfactors which the Commissioner would take into
               account, where relevant, is provided at page 11 of the RAP. This

               list is intended to be indicatinot exhaustive.
            d. Step 4. Adding in an amount for deterrent effect to others.



                                        10,                                                              •

                                                             ICO.
                                                             Information Commissioner's Office

        e. Step 5. Reducing the amount (save that in the initial element) to
           reflect any mitigatingfactors, including ability to pay (financial

           hardship). A list of mitigatinfactors which the Commissioner
           would take into account, where relevant, is provided at page 11-

           12 of the RAP.This list is intended to be indicative, not exhaustive.


Factual background to the incident


25.  Tuckers' website describes it as the UK's leading criminal defence

      lawyers specialising in criminal law, civil liberties and regulatory
      proceedings. Established in 1983, the firm has numerous offices in

      Greater London, Greater Manchester, West Midlands, Kent, Sussex,
      Staffordshire and Somerset.



26.   On 24 August 2020 Tuckers determined that it had been subjected to a
      ransomware attack; parts of its IT system became unavailable. Upon

      investigationits IT staff identified a ransomware note from the
     attacker stating that they had compromised Tuckers' system.



27.   On 25 August 2020 it submitted a personal data breach notification to
     the Commissioner. It explained that the attack had resulted in the

     encryption of civil and criminal legal case bundles stored on an archive
      server. Backups were also encrypted by the attacker. The

      Commissioner notes that these actions by the attacker affected only
     the archive server; the vast majority of the personal data Tuckers was

      processing wasin fact held on other servers and systems that were not

     affected by the attack.


28.  Tuckers stated that a significant number of personal data records were
      held on the archive server and provided the total number of encrypted

     files as a result the attack.

                                   11,                                                             •

                                                             ICO.
                                                             Information Commissioner's Office


29.   In total, 972,191 individual files were encrypted. Of these, 24,711

      related to court bundles. Of the 24,711 court bundles, 60 were
      exfiltrated by the attacker and published on an underground market

      site (the "dark web").


30.  Tuckers stated that the bundles included a comprehensive set of
      personal data, including medical files, witness statements, name and

      addresses of witnesses and victims, and the alleged crimes of the
      individuals. The 60 exfiltrated court bundles included 15 relating to

      criminal court proceedings and 45 civil proceedings. Of the 60

      exfiltrated court bundles, the personal data was not related to just one
      living individual; it was likely to have included multiple individuals.


31.   In respect of the criminal cases, Tuckers stated it included one ongoing

      criminal case at the Proceeds of Crime Act Stage, the criminal trial had
      concluded. All other criminal cases had been concluded. In respect of

     the civil cases, Tuckers explained that there was a mixture of archived
      and live cases. The Commissioner notes that some of the personal data

      compromised by the attack was likely to have featured in open court

      proceedings, but the unauthorised access to personal data resulting
      from this attack was very different in nature and scale. Tuckers further

      explained that to its understanding the personal data breach has not
      had any impact on the substance of its archived or live cases, i.e. on

     the conduct or outcome of the relevant proceedings.


Overview  of the attack


32.  The attack resulted in the unavailability of personal data (via

      encryption) and a loss of confidentia(via access to, and exfiltration
      of, the personal data).

                                   12,                                                                       •

                                                                       ICO.
                                                                       Information Commissioner's Office



33.    On 27 August 2020 Tuckers commissioned third-party         investigators,
                         , to provide a 'Cyber Security Incident Response

       Report'. Neither Tuckers nor                  was able to determine

       conclusively how the attacker was able to access Tuckers' network.

       However,   it did find evidence of a known system vulnerability -

                       that could have been used to either access the

       network, or further exploit areas of Tuckers once inside the network.


34.   -      released a patch for                     in January 2020. Tuckers

       has told the Commissioner that it applied the patch in June 2020, but it

       has accepted that the attacker could have exploited it during the five­

       month unpatched period    3•



35.    Once inside the network, the attacker installed various attacker tools
       which allowed the attacker to create its own user account, which it did.

      The attacker used this account to execute the attack and encrypt a

       significant volume of personal data contained in case bundles held on

       the archive server within the Tuckers network (see paragraph 29

       above). As well as encrypting the personal data and the backups, the

       attacker also exfiltrated 60 court bundles and released them onto the

       dark web.


36.   Tuckers notified all  but seven of the parties detailed within the 60 court

       bundles which had been released    4; this was done in line with the




2
3'CVE' is a reference number used to identify known vulnerabilities.
 It is noted that Tuckers' &Data Protection Policy st"allsoftware, operating system and
4irmware shall be updated on a regular basis to reduce the risk presented by security vulnerabilities".
 These seven had been subject to a custodial sentence when Tuckers last had contact with them. Tuckers stated
that they therefore did not have a postal address for these individuals at any stage; either because they did not
have one before they were remanded to custody and/or they only had a relationship with them in custody, so did
not record any address outside of prison.

                                         13,                                                                  •

                                                                 ICO.
                                                                 Information Commissioner's Office

         requirements of Article 34 GDPR.Italso made a public notification of
        the incident using its social media presence and its website.


   37.  Tuckers provided an update  to the Commissioner on 7 September 2020

        stating that it had moved its servers to a new environment and the
         business was now back to running as normal, albeit without the

         restoration of the data that had been compromised by the attackerIt

        stated that, whilst the compromised court bundles were effectively
         permanently lost, the material within the bundles was still available on

         its case management system which was unaffected by the attack.


   38.  The Commissioner has considered   whether these facts constitute a

        contravention of the data protection legislation.


   The Contravention


39.   For the reasons set out below, and having carefully considered Tuckers'

      representations,the Commissioner has concluded that Tuckers
      contravened Article S(l)(fGDPR. The Commissioner makes clear that he

      accepts that primary culpability for this incident rests with the attacker.
      But for the attacker's criminal actions, regardless of the state of the

      security, the breach would not have occurred. However, the infringements
      identified by the Commissioner were relevant to the personal data breach

      because they gave the attacker a weakness (vulnerabilityto exploit

      and/or because they increased the risks to personal data once the
      attacker entered Tuckers' network. Particularly in light of the volume and

      nature of the personal data for which Tuckers were responsible, data
      security contraventionsthat created such risks were serious matters that

      justify enforcement action on the facts of this case.




                                       14,                                                                   •


                                                                  ICO.
                                                                  Information Commissioner's Office
40.   In reaching those conclusions, the Commissioner has given consideration
      to Article 32 GDPR, which requires a controller when implementing

      appropriate security measures to consider "the state of the art, the costs

      of implementation and the nature, scope, context and purposes of
      processing as well as the risk of varying likelihood and severity for the

      rights and freedoms of natural persons".


41.   As part of his deliberations, the Commissioner has considered, in the

      context of "state of the art", relevant industry standards of good practice

      including the ISO27000 series, the National Institutes of Standards and
      Technology ("NIST"), the various guidance from the ICO itself, the

      National Cyber Security Centre ("NCSC"), the Solicitors Regulatory
      Authority ("SRA"), Lexcel and 'NCSC Cyber Essentials'.



42.   The Commissioner has concluded   that there are a number of areas in
      which Tuckers has failedto comply with, and to demonstrate that it

      complied with, Article S(l)(GDPR. Tuckers' technical and organisational

      measures areas were,  over the relevant period, inadequate in the
      following particular respects:



      •  Lack of Multi-Factor  Authentication  ("MFA")


43.   Tuckers explained that it used a -environment     to deploy remote
      desktops via the-web       app and that its-environment      was at the

      centre of the cyber-attackIts GDPR and Data Protection Policy required

      two-factor authenticationwhere available, however, it stated that it did
      not use Multi-Factor Authenticatio(MFA) for its -    remote access

      solution.


44.   With regards to "state of the art", the Commissioner notes that ISO27002

      recommends "where strong authentication  and identify verification is

                                        15,                                                                 •


                                                                 ICO.
                                                                 Information Commissioner's Office
      required, authenticatiomethods alternative to passwords, such as
      cryptographic means, smart cards, tokens or biometrics should be used".



45.   NIST 800-63b requires that where "some assurance" is needed that the
      individual authenticatinis who they claim to be, authenticatimay be

      allowed via a single factor such as password. Where a high degree of

      certainty is required, controllers should implement either MFA or a
      combination of two single factor authenticatoWhere a very high degree

      of certainty is required, authenticatshould be based on proof of

      possession of a key through a cryptographic protocol including possession
      of two distinct authenticators.


46.   The Commissioner understands  that -    published guidance in 2016

      which stated that organisations should not use single factor authentication

      for-     in production environments.The NCSC has recommended since
      2018 to use MFA for services such as remote access. It says that MFA is

      particularly important for authenticatto services that hold sensitive or

      private data. The NCSC Cyber Essentials requires multi-factor
      authenticationwhere it is available, and the SRA also published guidance

      in 2018 which recommended the use of MFA where possible.


47.   The Commissioner believes that the use of MFA was a comparably low­

      cost preventative measure which Tuckers should have implemented, with
      there being a number of both open and proprietary/commercialMFA

      solutions widely available that are compatible with-·


48.   The use of MFA substantially increases the difficulty of an attacker

      entering a network via the exploitation of a single username/password.

      Had MFA been used, it could have substantially supported Tuckers in
      preventing access to its network. The Commissioner is cognisant of the

      fact that Tuckers is unable to confirm exactly how the attacker entered its

                                       16,                                                                  •


                                                                 Information Commissioner's Office

      network - however, the exploitation of a single username and password is
      a common exploitation method and is likely to be one of two possible

      entry methods into the Tuckers network. The lack of MFA accordingly

      created a substantial risk of personal data on Tuckers' systems being
      exposed to consequences such as this attack.


49.   Taking into consideration the highly sensitive nature of the personal data

      that Tuckers was processing, as well as the state of the art of MFA, and

      the costs of implementation,Tuckers should not have allowed access to
      its network using only a single username and password. In doing so, it did

      not ensure appropriate security, including protection against unauthorised
      and unlawful processing of its personal data, as required by Article 5(l)(f)

      GDPR.


50.   For the same reasons, the Commissioner considers that Tuckers also

      failed to meet the requirements of Article 32(l)(which required
      appropriate measures to be put in place to ensure the ongoing

      confidentialitintegrity and availability of its data processing systems and

      services.


      •  Patch Management


51.   Following                                proceeded to check the state of

      the-environment.      -     provided a number of commands to validate
      whether a                                           had been

      compromised via  the vulnerabilitone of which showed "significant

      indication" of this. - released a mitigation step for this vulnerabilony
      19 December 2019.  It provided a patch to fix the vulnerabilon 19

      January 2020. Tuckers stated to the Commissioner that it installed the
      patch in June 2020, more than four months after the patch was released,



                                       17,                                                                     •


                                                                     ICO.
                                                                     Information Commissioner's Office
      and accepted that the attacker could have exploited its vulnerability
      during the un-patched period.



52.   With regards to "state of the art", it is apparent that-   had announced
      on 17 December 2019 that it was aware of the vulnerability   CVE-­

      -      and provided mitigation  steps to prevent exploitationof it, with a

      patch to fix the vulnerabilitbeing released on 19 January 2020. At the
      time of becoming aware of the vulnerability, -advised       in a published

      security bulletin on its website that it "strongly urges affected customers

      to immediately upgrade to a fixed build OR apply the provided mitigation
      which applies equally to                            and

      -       deployments".


53.   On 27 January 2020, the NCSC published an 'Alert' that malicious actors

      were exploiting the CVE-              vulnerability.The Alert said "the
      NCSC recommends following vendor best practice advice to mitigate

      vulnerabilitiesIn this case, the most important aspect is to install the

      latest updates as soon as practicable and to follow the vendor mitigation
      advice immediately [...] the NCSC also strongly advises organisations

      carry out searches across their networks to identify whether exploitation

      has taken place". Itprovided a link to a tool that detects the vulnerability.
      On 29 January 2020, the NCSC published a subsequent Alert on its

      website. Itprovided further details on how to detect the vulnerability.


54.   On 8 April 2020, the NCSC published a joint advisory with the US

      Department of Homeland Security (CISA) titled "COVID-19 exploited by
      malicious cyber actors". Itexplained that CVE-              and its

      exploitationhas been widely reported online since January 2020; it

      provided links to guidance on how to resolve the vulnerability.




                                         18,                                                                     •


                                                                    ICO.
                                                                    Information Commissioner's Office
55.   On 28 April 2020, -         published a security blog drawing attention to

      recent ransomware attacks. It explained that malicious actors were
      exploiting such vulnerabilitieas remote access without multi-factor

      authentication,older operating systems such as 'Server 2008' and the

     -vulnerability      CVE-


56.   The Commissioner has considered relevant industry standards of best

      practice, includingthe ISO27002 suggestion that organisations should

      define a timeline to react to notifications of potentially relevant technical
      vulnerabilitiesand once a vulnerability has been identified, associated

      risks should be identified and actions taken, such as patching the system

      to remove the vulnerability.


57.   The Commissioner understands the CVE scored a CVSS of 9.8: A score of

      9.8 is rated as "criticalThe 'NCSC Cyber Essentials' requires patches
      that are rated as 'high' or 'critical' should be applied within 14 days of the

      release of the patch. As stated, the patch was released in January 2020

      and installed some five months later. In addition to the NCSC Cyber
      Essentials, the ICO's Security Outcomes guidance also recommends

      actively managing software vulnerabilitiesand the application of software

      update patches.


58.   The SRA also published guidance in 2018 which highlighted the

      importance of maintaining up-to-date IT equipment/systems.


59.   In terms of cost, the patch was available for free. The Commissioner

      accepts that whilst the cost of the patch was free, there are other cost

      implications, such as the cost of personnel to test the patch prior to
      deployment. However, in the Commissioner's view, this should not have


   5The CVSSis an independent rating scale on how critical a vulnerability is. The CVSSscale is based on low, medium,
   high and critical, based on scores

                                         19,                                                                   •


                                                                  Information Commissioner's Office

      been a barrier to the prompt application of the patch given the sensitive
      personal data being processed.



60.   Taking into consideration the highly sensitive nature of the personal data
      that Tuckers were processing, as well as the state of the security updates,

      and the costs of implementation for them, Tuckers should not have been
      processing personal data on an infrastructurcontaining known critical

      vulnerabilitiewithout appropriatelyaddressing the risk. In doing so, it did

      not ensure appropriate security, including protection against unauthorised
      and unlawful processing of its personal data, as required by Article S(l)(f)

      GDPR.

61.   The Commissioner further notes that Tuckers' own GDPR & Date

      Protection Policy states that "all software, operating system and firmware

      shall be updated on a regular basis to reduce the risk presented by
      security vulnerabilitiesTuckers speculated that it was unlikely the

      attacker would have exploited a vulnerabilitto gain access to the

      network, but then not executed the attack until August 2020, two months
      after initial access. However, this is a common attacker tactic used by

      advanced persistent threat groups. Accordingly, the Commissioner is not
      persuaded that the passage of time from June 2020 (when the patch was

      implemented)  and August 2020 (when the attacker exfiltrateddata) casts

      significantoubt on the likelihood of this patching delay having given the
      attacker the opportunitythey exploited. In any event, even if the attack

      did not exploit this delay, the delay was nonetheless a significant
      deficiency in Tuckers' technical measureshat created the risk of serious

      incidents such as this.


62.   Forthe same reasons, Tuckers also failed to meet the requirements of

      Article 32(l)(b)which required appropriate measures to be put in place to



                                       20,                                                                  •


                                                                 Information Commissioner's Office

      ensure the ongoing confidentialitintegrity and availability of its data
      processing systems and services.



      •  Failure to encrypt personal data


63.   Tuckers provided information during the Commissioner's investigation that
      the personal data stored on the archive server that was subject to this

      attack had not been encrypted. The Commissioner accepts that

      encryption of the personal data may not have prevented the ransomware
      attack. However, it would have mitigated some of the risks this attack

      posed to the affected data subjects. This is because effective encryption
      management, with appropriate protection of the decryption keys, can

      prevent an unauthorised party such as a malicious attacker from being

      ableto read the personal data once they have obtained access to
      systems. Such encryption would therefore have upheld the principles of

      confidentialitof the personal data, even in its exfiltrated form.


64.   With regards to "state of the art", The Commissioner has taken into

      consideration relevant standard of best practice, including the ISO27001
      requirement to implement cryptographic controls in compliance with all

      relevant agreements, legislation and regulation. NIST 800-53 also

      discusses how the selection of cryptographic mechanisms should be based
      on the need to protect the confidentialand integrity of organisational

      information.It says that the strength of a mechanism should be
      commensurate with the security category or classification of the

      information. The Commissioner understands that the Tuckers GDPR and

      Data Protection Policy identified client data as its most sensitive data,
      requiringthe highest level of protection.


65.   The Commissioner's published guidance on encryption also states that it

      "considers encryption to be an 'appropriate technical measureand in

                                       21,                                                                •


                                                                Information Commissioner's Office

      cases where data is lost or unlawfully accessed and encryption was not
      used, we may consider regulatory action". The ICO's Security Outcomes

      guidance suggests implementing technical controls such as encryption to

      prevent unauthorised or unlawful processing of personal data. The SRA
      also published guidance in 2017 which highlights encryption as a cost­

      effective step in keepingformation safe.


66.   Althoughthe ICO does not endorse or recommend one particular

      encryption solution, the Commissioner understands that free, open-source
      encryption solutions are widely available, or, should Tuckers have wished

     to purchase specific court-bundlinsoftware with encryption capabilities,
     this is also commercially and inexpensively available. The Commissioner's

      experience ishat the use of encryption solutions is an industry norm

      within legal services, as would be expected.


67.  Taking into consideration the highly sensitive nature of the personal data
     that Tuckers were processing, as well as the state of the art of encryption,

      and the costs of implementationTuckers should not have been storing

     the archive bundles in unencrypted,plain text format. In doing so, it did
      not ensure appropriate security, including protection against unauthorised

      and unlawful processingof its personal data, as required by Article S(l)(f)

      GDPR.


68.   For the same reasons, Tuckers also failed to meet the requirements of
      Article 32(l)(awhich expressly cites the encryption of personal data as

      anappropriate security measure.


   Notice of Intent


69.   On 7 September 2021, in accordance with s.155(5) and paragraphs 2 and

      3of Schedule 16 DPA, the Commissioner issued Tuckers with a Notice of

                                      22,                                                                   •


                                                                  ICO.
                                                                  Information Commissioner's Office
      Intent to impose a penalty under s.155 DPA. The Notice of Intent
      described the circumstances and the nature of the personal data breach in

      question, explained the Commissioner's reasons for a proposed penalty,

      and invited written representationfrom Tuckers.


70.   On 22 November 2021, Tuckers provided substantial written

      representationsin respect of the Notice, together with supporting
      documentation  in relation to its finances. In answer to further questions

      posed by the Commissioner on 1 December 2021, Tuckers provided

      additionalinformationon 24 December 2021.


71.   On 7 February 2022, the Commissioner held a 'representations meeting'
      to thoroughlyconsider the representations provided by Tuckers. At that

      meeting it was decided that a monetary penalty remained appropriate in

      allof the circumstances.


   Factors relevant to whether   a penalty is appropriate,  and if so, the

   amount of the penalty


72.   The Commissioner has considered the factors set out in Article 83(2) of

      the GDPR in deciding whether to issue a penalty for the contraventionof
      Article S(l)(f(and 32(1)) particulariseabove. For the reasons given

      below, he is satisfied that (i) the contraventiare sufficiently serious to
      justify issuing a penalty in addition to exercising his corrective powers;

      and (ii) the contraventionare serious enough to justify a significant fine.


   (al   the nature, gravity and duration of the infringement    taking into

   account the nature, scope or purpose of the processing concerned as

   well as the number of data subjects affected and the level of damage
   suffered by them



                                       23,                                                                 •


                                                                 Information Commissioner's Office

73.  The Commissioner considers that there have been a number of
      infringementsidentified in relation to Articles 5(GDPRthat have

      demonstrated Tuckers' approach to data protection compliance was not of

      an appropriate standard.


74.   In its public communicatioof the breach, it stated that it held client
      informationrelating to over 60,000 clients. Tucker stated that, during the

      attack, a significant amount of personal data, including special category

      data, was unlawfully accessed and encrypted by the attacker. This
      included over 20,000 court bundles, of which 60 bundles were exfiltrated

      and released onto the dark web.


75.  The personal data included within the bundles included special category

      data, and related to individuals that were particularly vulnerable, including
      children and individuals involved in significant crimes. This, in the

      Commissioner's view, increases the severity of this infringemegiven
      that this type of personal data required particularly high levels of security

      to be applied to it.


76.   In terms of the duration of the infringemethe Commissioner considers

      that the contraventioperiod for this breach persisted over at least part of

      the period from 25 May 2018 (i.e. the date on which GDPR came into
      force) until 25 August 2020 (i.e. the date on which Tuckers reported the

      breach to the Commissioner and shut down the relevant system,
      preventing any further possible authorised access). The Commissioner

      notes that Tuckers failed to have MFA in place, which was recommended

      from at least 2016; it resolved this issue by 19 November 2020. As
      explained above, the patch management contravention  spanned the

      period from January to June 2020. The encryption contraventiois likely
      to have persisted over a longer period.



                                       24,                                                                   •


                                                                  ICO.
                                                                  Information Commissioner's Office
77.   In terms of the assessment of damage suffered by affected data subjects,
      the Commissioner has regard to Recital 85 GDPR which explains that

      "physical, material or non-materiadamage to natural persons such as

      loss of control over their personal data or limitation of their rights,
      discriminationidentity theft or fraud, financial loss, unauthorised reversal

      of pseudonymisation, damage to reputation, loss of confidentialiof

      personal data protected by professional secrecy or any other significant
      economic or social disadvantage to the natural person concerned".



78.   The Commissioner finds that the release of personal data of the type in
      this case on to the dark web in particular, is likely to increase distress to

      the affected individuals, not least given the vulnerabiof some of the
      individuals to whom the data related.



79.   Some  of the exfiltrated data includes image files in relation to allegations
      of_,    and bundles that identify the complainants;documents which

      identify -    and               ; and th~       of witness to crimes. In

      some instances, the compromised data included legally professionally
      privileged information between clients and Tuckers.



80.   Further,the exfiltrated data included personal data relating to a prisoner's
      child (in relation to access to the child). Recital 38 GDPR explains that

      children merit specific protection with regard to their personal data. The
      child's privacy has been breached, with intimate details of their family life

      published online.


   (bl   the intentional or negligent  character  of the infringement



81.   The Commissioner considers that this personal data breach occurred due
      to a criminal and malicious cyber-attack that exploited negligent security

      practices.

                                       25,                                                                •

                                                               ICO.
                                                               Information Commissioner's Office


82.  Tuckers were aware prior to the attack that its security was not at the

      level of the NCSC Cyber Essentials. In October 2019, it was assessed
     against the 'Cyber Essentials' criteria and failed to meet crucial aspects of

      its requirements.


83.  The  NCSC describes Cyber Essentials as: "A simple but effective,
     Government backed scheme that will help you to protect your

     organisation,whatever its size, against a whole range of the most
     common cyber attacks [...] Cyber attackcome  in many shapes and sizes,

     but the vast majority are very basic in nature, carried out by relatively

     unskilled individuals. They're the digital equivalent of a thief trying your
     front door to see if it's unlocked. Our advice is designed to prevent these

     attacks".


84.  Given the personal data that Tuckers was processing, including special
     category data of very vulnerable individuals, the Commissioner believes

     that it is reasonable to expect that the security within Tuckers should
      have not only have met, but surpassed the basic requirements of Cyber

      Essentials. The fact that some 10 months after failing Cyber Essentials it

      had still not resolved this issue is, in the Commissioner's view, sufficient
     to constitute a negligent approach to data security obligations.


85.  In addition, Tuckers were accredited by the Law Society's Lexcel Legal

      Practise Quality Mark. Its March 2018 Standards stated that law practises
      should be accredited against Cyber Essentials. Thisher reinforced the

     conclusion that Tuckers should have had the requisite measures in place

     to achieve accreditation by at least October 2019, and when it failed its
     Cyber Essentials assessment, it should have quickly and promptly

      resolved the inadequacies. Had it done so, it could have demonstrated a


                                      26,                                                                   •


                                                                   Information Commissioner's Office

      much stronger approach to compliance and would have greatly reduced
      the likelihood of this personal data breach from occurring.



86.   Tuckers is also regulated bythe SRA. In 2017, the SRA warned its
      organisations that the legal sector was an obvious target for cyber

      criminals.Itstated that "solicitors are obliged under the Code of Conduct
      to maintain effective systems and controls to mitigate risks to client

      confidentiality".


87.   Italso provided security guidance in 2017, in its "IT Security: keeping

      information and money safe" publication; and in 2018, in its "Technology
      and Legal Services". Both provided advice and guidance, such as

      encryption, secure remote access and up to date operating systems and

      software,that if followed, would have significantly reduced the likelihood
      of this attack being successful.


88.   In addition, the Commissioner provided free assessment tools kits for

      controllers to use to support them in complying with the GDPR. One such

      toolkit (regarding 'Records Management') provided advice and guidance
      on deleting personal data when it is no longer necessary (i.e. when the

      retention period has expired).


89.   Further negligent practices by Tuckers that were of concern to the

      Commissioner included:


      •  Failing to implement MFA on its-     remote access solution. -

         advised in 2016 that you should have MFA in place for production
         environments, and the NCSC recommended in 2018 that you should

         have MFA in place for remote access solutions.




                                        27,                                                                          •


                                                                         ICO.
                                                                         Information Commissioner's Office
      •   Processing personal data on the operating system

         _,     which ended mainstream support in 2015, and ended extended

          support in January 2020, meaning that it was no longer supported, and

         therefore received no security updates.


      •   Not applying a high-risk security patch until four months after it was

          released, despite it being listed as 'critical'. This was particularly

          negligent given that the NCSC had published an Alert drawing attention
         to it.



      •   Failing to apply encryption techniques to data at rest, despite ICO
          Guidance from 2018 recommending it;



      •   Storing court bundles after its 7-year retention period, some of which

          were exfiltrated through this attack. A failure to adhere to or to justify
          departures from its retention practices creates concerns about

         compliance with Article S(l)(e)   GDPR, which requires personal data to

          be "kept in a form which permits identification   of data subjects for no

         longer than is necessary for the purposes for which the personal data
         are processed"  6•



   (cl   any action taken by the controller or processor to mitigate the

   damage suffered by data subjects


90.   Tuckers assessed that, in relation to the individuals of the 60 exfiltrated

      court bundles, these were likely to result in a high risk to individuals;


   6Tuckers stated to the Commissioner at one point during h"this is where criticism of us is most
   justified and where we are looking to rebuild our systems without repeating the sins of the past. We have been
   reasonably goodmanaging our case management environment and central archives on the basis that we do not
   store items for longer than necessary where possible. However, the files that were accessed were in locations that
   were not being proactively managed well enough with regards ensuring that data that was still being stored outside
   of our retention periods was then beThe Commissioner notes, however, that subsequent
   representations from Tuckers suggested that its retention of the compromised files was justified.

                                            28,                                                                   •


                                                                   ICO.
                                                                   Information Commissioner's Office
      therefore, in line with Article 34 GDPR requirementit notified the affected

      data subjectsof the personal data breach7, using the following methods:
      letters and emails sent on 19 October 2020; social media notificationand

      website publication.


91.   In addition, Tuckers commissioned third party support (i.e.

      who provided incident response support following the breach. It also

      reported the incident to Action Fraud, the National Crime Agency, the
      Metropolitan Police, the NCSC, and the SRA.


   (dl   the degree of responsibility  of the controller or processor taking

   into account technical and organisational    measures implemented       by

   them pursuant to Articles 25 and 32


92.   The Commissioner is also satisfied that Tuckers was responsible for

      multiple breaches not only of Article S(l)(but also of Article 32, not
      least through its failure to implement MFA on its remote access solution

      and its patchmanagement inadequacies. The Commissioner finds that

      Tuckers failed to meet the requirements of Article 32(l)(bGDPR, which
      required appropriate measures to be put in place to ensure the ongoing

      confidentialityintegrity and availability of its data processing systems and

      services.In relation to the lack of encryption of the archived court
      bundles, Tuckers failed to meet the requirements of Article 32(l)(a)

      GDPR, which lists the encryption of personal data, inter alia, as an

      appropriate security measure.


   (el   any relevant  previous infringements    by the controller or

   processor




   7Savefor the 7 individuals for whom Tuckers had no contact details for (see Footnote 3).

                                        29,                                                                   •


                                                                   Information Commissioner's Office

93.   The Commissioner is unaware of any previous data protection infringements
      by Tuckers.



   (fl   the degree of cooperation   with the supervisory    authority, in
   order to remedy the infringement     and mitigate  the possible adverse

   effects of the infringement


94.   Tuckers were fully cooperative with the Commissioner's investigation.


   (gl   the categories of personal data affected by the infringement


95.   The compromised bundles contained a range of categories of personal

      data, and special category data as defined by Article 9(1) GDPR.

      Specifically those categories included:


         •    Basic Identifiers

         •    Health Data

         •    Economic  and Financial Data

         •    Criminal Convictions

         •    Data revealing racial or ethnic origin


96.   Given the nature of court bundles, however, the personal data affected by

      this attack was not confined to discrete fields such as those listed above.
      Instead, the data included narrative descriptions of facts, allegations and

      opinions about the data subjects referred to in those bundles. In total,

      972,191 individual files were encrypted. Of these, 24,711 related to court
      bundles which contained a wide range of personal data. Of the 24,711

      court bundles, 60 were exfiltrated by the attacker and published on the
      dark web. Of these 60 bundles, 45 related to civil cases and 15 related to

      criminal cases.

                                        30,                                                                •

                                                                ICO.
                                                                Information Commissioner's Office


97.   In relation to the civil proceedings, Tuckers stated that "the bundles are

     bundles that were prepared by us - but again bundles that were prepared
      for use in connection with either a prelimior final hearing in relation

      to the matters.In civil proceedings it is our responsibility (we do only
      Claimant work) to prepare the bundles for use in connection with the

      Court hearings."


98.   In relation to the criminal proceedings, Tuckers stated that "all the

     material is material that was served on Tuckers by the prosecution and
      would therefore have been subject to use in open Court proceedings. The

     bundles do not include any documentation that we have prepared, for

      example letters providing legal advice or draft statements prepared in
      connection with the defence.It is only prosecution evidence served on us

      - which includes documentation and videos relating to CCTV/Body Worn
      Video served on". The Commissioner has given weight to the fact that

      some of the compromised data will have been referred to in open court

      proceedings, but does not consider that this eliminates the serious
      prejudicial consequences of this attack, which resulted in extensive and

      sensitive data being made available to unauthorised persons in ways that
      are very different from references in court during the course of

      proceedings.


99.  Tuckers explained that the bundles included a comprehensive set of

      personal data, including medical files, witness statements,
      name/addresses of witnesses and victims, and alleged crimes, including

      particularly heinous crimes such as rape and murder.


100. It stated that some of the clients involved in its cases are vulnerable in

      terms of their mental or physical wellbeing, with such information being
      included as part of those clients' bundles.

                                      31,                                                             •

                                                            ICO.
                                                            Information Commissioner's Office

101. It confirmed that witness statements were contained in many of the

     compromised bundles.

102. Tuckers providedthe Commissioner with a summary of each of the

     exfiltrated bundles, which included personal data relating to vulnerable
     individuals as well as very sensitive personal data, including:


        •


        •




        •
        •



        •


        •


        •



   (hl  the manner in which the infringement  became known to the
   supervisory authority,in particularwhether, and if so to what extent,

  the controller or processor notified the infringement

103. Tuckers notified the Commissioner via a self-reppersonal data

     breach form on 25 August 2020, one day after becoming aware of the


                                    32,                                                                •


                                                               Information Commissioner's Office

     security incident, and the same day that it determined the security
     incident had resulted in a personal data breach.



   (il  where measures referred to in Article 58(2)   have previously
   been ordered against the controller or processor concerned with

   regard to the same subject-matter,   compliance with those measures


104. Not applicable.


   (j)  adherence  to approved codes of conduct pursuant to Article 40

   or approved certification mechanisms   pursuant to Article 42


105. Not applicable.


   (kl  any other aggravating   or mitigating factor applicable to the

   circumstances  of the case, such as financial benefits gained, or
   losses avoided, directly or indirectlyfrom the infringement



106. The Commissioner has considered the following aggravating factor in
     this case:



        •     The Commissioner's Regulatory Action Policy statesat "In data
              protection cases, whether the relevant individual or organisation

              is certified by a body that has been accredited under Article 43 of
              the GDPRor has failed to follow an approved or statutory code of

              conduct", the commissioner reserves the right to take this into

              consideration as an aggravating factor.


              The SRA has a published 'Code of Conduct for Firms'. Of
              particular relevance here are the requirements to: [Para 2.l(a)]

             "Have effective governance structures, arrangementssystems

                                      33,                                                                  •

                                                                  ICO.
                                                                  Information Commissioner's Office

              and controls in place that ensure [...] [ compliance] with all the
              SRAs  regulatory arrangements as well as with other regulatory

              and legislative requirements,which apply to you"; [Para 2.5]
              "[. ..] identify, monitor and manage all material risks to your

              business"; [Para 3.1] "[. ..] keep up to date with and follow the
              law and regulation governing the way you work"; and [Para 5.2]

              "[. ..] safeguard money and assets [including documents]

              entrusted to you by clients and others".


              The Commissioner considers that Tuckers has failed to meet
              these standards of the Code.



107. The Commissioner has considered the following mitigating   factors in
      this case:


        •     Tuckers has proactively sought to address the security concerns

              and engaged with third party experts to increase the security of

              its systems, including


              (a)   On 19 November 2020 it completely separated from its
                    legacy infrastructureand updated to a

                    environment;


              (b)   Itimplemented MFA access to all other remote access

                    environments;


              (c)   Ithas purchased database and software capabilities as a
                    service where -        will be responsible for updating and

                    patching the core infrastructuredatabase and software;




                                       34,                                                         •


                                                        ICO.
                                                        Information Commissioner's Office
(d)   It is engaging with 'Cyber Griffin' at the City of London

      Police and has made   it mandatory for all of its employed
      staff to attend their baseline briefings;



(e)   It has also agreed to invite 'Cyber Griffin' to do an audit of
      its security procedures prior to applying again for Cyber

      Essentials in the first instance and, Cyber Essentials Plus

      shortly thereafter;


(f)   It is in the process of completing its purchase of licences

      from-to            run-on           their user accounts, in
      order to provide greater security in relation to the devices

      that connect to its network; it has also engaged the

      services of a-          network engineer to support them in
      configuring this. Once  this is done it intends to apply for

      NCSC Cyber Essentials Accreditation;


(g)   It has automated the deletion of personal data within its

      case  management system on the expiry of the retention

      period. For personal data stored outside its case
      management system, it is using an external consultant to

      identify tools built into its new                environment

      that will support the classification, and automated deletion,
      of personal data.



(h)   It has encrypted data on Tuckers' systems through
      -and           -encryption.       This is so by design.



(i)   It has transferred all client data to            which has
      ensured  the effective application of Tuckers' data retention

      policy to all such data

                           35,                                                                   •

                                                                   ICO.
                                                                   Information Commissioner's Office


              (j)   It has continued to improve training and information

                    security awareness throughout  its business, including
                    through weekly communications   on cyber risks and

                    awareness. This, in turn, has led to the increased reporting
                    of suspicious activity, thereby improving the security of

                    Tuckers' systems


              (k)   It has made improvements to the management of Tuckers'

                    antivirus and privileged accounts, with local admin end
                    users having been removed.



              (I)   It has addressed the human resourcing issues and now
                    utilises ahird-party specialists as required and has

                    expanded its IT team. There are now four members of staff
                    including a Systems Manager who is responsible for

                    ensuring that all third-partcontracts and services that

                    Tuckers uses for specialist support are well managed


              (m)   Penetration testing has been carried out and is regularly
                    scheduled. All critical and high-risk issues identified in

                    those tests have been remedied


   Summary and amount of penalty


108. For the reasons set out above, the Commissioner has decided to impose a

      financial penalty on Tuckers. The Commissioner has taken into account
      the size of Tuckers, publicly available information regarding its finances,

      and the representations made by Tuckers as to its financial position. He is

      mindful that the penalty must be effective, proportionate and dissuasive.


                                        36,                                                               •

                                                               ICO.
                                                               Information Commissioner's Office
   Calculation of the penalty



109. Following the 'Five Step' process set out in the RAPthe Commissioner has
      arrived at an appropriate penalty amount as follows:


Step 1: An initial element removing any financial gain from the breach.


110. The Commissioner noted that there was no financial gain or benefit to

     Tuckers from this breach.


Step 2: Adding in an element  to censure the breach based   on its scale

     and severity, taking into account the considerations  identifiedat
     section 155(2)-(4)  DPA.


111. This refersto and repeats the matters listed in Article 83( 1) and (2) as set

      out above. The breach was a negligent one which involved personal data
      of those individuals linked to court cases for criminal and civil

      proceedings. The affected personal data involved (but was not limited to)
      basic identifiers, financial and economic data and other special category

      data. The Commissioner has outlined above a number of failings identified

      in respect of Tuckers' steps to take appropriate organisational and
      technical measures. These failings resulted in 972,191 individual files

      being encrypted. Of these, 24,711 related to court bundles which
      contained a wide range of personal data. Of the 24,711 court bundles, 60

      were exfiltrated.


112. The Commissioner acknowledges Tuckers' cooperation throughout the
      investigatioand the steps taken by Tuckers to contact the individuals

      affected by the breach in line with Article 34 GDPR.




                                     37,                                                                •

                                                               ICO.
                                                               Information Commissioner's Office

113. The duration of the infringemenwas up to 2 years and 3 months, though
      the precise period varied between the particular contraventions.


114. Based on the above, the Commissioner finds that the starting point for

      any penalty in respect of this breach is 3.25% of Tucker's annual turnover
      for 30 June 2020.



Step 3: Adding in an element   to reflect and aggravating factors {Article
      83{2){k)).


115. The Commissioner notes Tuckers' failure to comply with the SRA code of

      conduct, but has not applied any increase to the penalty percentage of

      3.25% in this instance.


Step 4: Adding an amount for deterrent   effect to others.


116. No increase has been applied for this factor in this instance.


Step 5: Reducing the amount to reflect any mitigating   factors including

      ability to pay.


117. Prior to serving the Notice of Intent, the Commissioner noted the steps
      taken by Tuckersto avoid future breaches in light of this incident

      (including purchase of software, automated deletion, implementatofn

      MFA and staff trainingHe believed that these were processes which
      should have been in place in any event, and applied no reduction for this.


118. The Commissioner has gone on  to consider the extensive representations

      made by Tuckers in response to the Notice of Intent, including

      representationsmade in respectof the proposed penalty sum and the
      impact of a penalty on the firm. The Commissioner is satisfied that

                                      38,                                                                  •

                                                                 ICO.
                                                                 Information Commissioner's Office

     Tuckers has submitted significant representationsregarding the
      circumstances of the incident and the subsequent further remedial

      measures implemented following the breach, including:


        Additional IT staff members
        Increased training and professional penetration testing



119. The Commissioner has also considered:


      - Tuckers financial position

      - Additional information which was provided which narrowed the scope of
        the Commissioner's findings in relation to the contravention

      - Representations made in relation to managing IT staff illness/shortages

      - The  important work Tuckers do in protecting vulnerable individuals
      - Further clarification that the infringemenidentified were purely in

        relation to Tuckers' archive system


120. Taking  into account all of the factors set out above, the Commissioner has

      decided to impose a penalty on Tuckers of £98,000 (ninety-eight
      thousand  pounds).


   Payment of the penalty



121. The penalty must be paid to the Commissioner's office by BACS transfer
      or cheque by 29 March 2022 at the latest. The penalty is not kept by the

      Commissioner but will be paid into the Consolidated Fund which is the
      Government's general bank account at the Bank of England.



122. There is a right of appeal to the First-tier Tribunal (InformaRights)
      against:


                                       39,                                                            •

                                                            ICO.
                                                            Information Commissioner's Office


             (a) The imposition of the penalty; and/or,
             (b) The amount of the penalty specified in the penalty notice


123. Any notice of appeal should be received by the Tribunal within 28 days of
     the date of this penalty notice.


124. The Commissioner willot take action to enforce a penalty unless:


        • the period specified within the notice within which a penalty must be

             paid has expired and allany of the penalty has not been paid;


        • all relevant appeals against the penalty notice and any variation of it
             have either been decided or withdraand


        • the period for appealing against the penalty and any variation of it

             has expired.


125. In England, Wales and Northern Ireland, the penalty is recoverable by
     Order of the County Court or the High Court. In Scotland, the penalty can

     be enforced inhe same manner as an extract registered decree arbitral
     bearing a warrant for execution issued by the sheriff court of any

     sheriffdom in Scotland.


126. Your attention is drawn to Annex 1 to this Notice, which sets out details of
     your rights of appeal under s.162 DPA.









                                    40,                                                    •

                                                    ICO.
          th                                        Information Commissioner's Office
Dated the 28day of February 2022

Stephen Eckersley
Director of Investigations
InformatioCommissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 SAF

































                              41,                                                             •

                                                             ICO.
                                                             Information Commissioner's Office

ANNEX 1


        Rights of appeal against decisions of the commissioner


1.    Section 162 of the Data Protection Act 2018 gives any person upon
      whom a penalty notice or variation notice has been served a right of

      appeal to the First-tier Tribunal (InformRights) (the 'Tribunal')
      against the notice.



2.    If you decide to appeal and if the Tribunal considers:-


      a)   that the notice against which the appeal is brought is not in
           accordance with the law; or



      b)   to the extent that the notice involved an exercise of discretion by
           the Commissioner, that he ought to have exercised his discretion

           differently,


     the Tribunal will allow the appeal or substitute such other decision as
      could have been made by the Commissioner. In any other case the

     Tribunal will dismiss the appeal.


3.    You may bring an appeal by serving a notice of appeal on the Tribunal

      at the following address:


           GRC & GRPTribunals
           PO Box 9300
           Arnhem House
           31 Waterloo Way
           Leicester
           LEl 8DJ

           Telephone: 0203 936 8963
           Email:     grc@justice.gov.uk

                                   42,                                                               •

                                                               ICO.
                                                               Information Commissioner's Office



      a)   The notice of appeal should be sent so it is received by the
           Tribunal within 28 days of the date of the notice.


      b)   If your notice of appeal is late the Tribunal will not admit it

           unless the Tribunal has extended the time for complying with this
           rule.


4.    The noticeof appeal should state:-



      a)   your name and address/name and address of your representative
           (if any);


      b)   an address where documents may be sent or delivered to you;


      c)   the name and address of the Information Commissioner;


      d)   details of the decision to which the proceedings relate;



      e)   the result that you are seeking;


      f)   the grounds on which you rely;


      g)   you must provide with the notice of appeal a copy of the penalty
           notice or variation notice;


      h)   if you have exceeded the time limit mentioned above the notice

           of appeal must include a request for an extension of time and the

           reason why the notice of appeal was not provided in time.



                                    43,                                                       •

                                                       ICO.
                                                       Information Commissioner's Office
5.   Before deciding whether or not to appeal you may wish to consult your
     solicitor or another advAt the hearing of an appeal a party may
     conduct his case himself or may be represented by any person whom

     he may appoint for that purpose.

6.   The statutory provisions concerning appeals to the First-tier Tribunal

     (General Regulatory Chamber) are contained in sections 162 and 163
     of, and Schedule 16, the Data Protection Act 2018, and Tribunal

     Procedure (First-tier Tribunal) (General Regulatory Chamber) Rules
     2009 (StatutorInstrument2009 No. 1976 (L.20)).






























                                44