Skip to content
A recent £60,000 fine issued to Merseyside-based law firm DPP Law Ltd (DPP) by the Information Commissioner’s Office (ICO) has highlighted the serious consequences businesses can face when cybersecurity measures fall short. The fine followed a major cyber attack in 2022 that resulted in highly sensitive and confidential client information being stolen and later published on the dark web.
While DPP operates in particularly sensitive legal areas – such as crime, military, family fraud, sexual offences and actions against the police – the lessons from this incident apply broadly to any organisation that handles personal data.
What went wrong?
The Information Commissioner’s Office (ICO) found that DPP failed to implement appropriate security measures to safeguard electronic data. The attackers gained access via a little-used administrator account that did not have multi-factor authentication (MFA) enabled. From there, they were able to move across the firm’s network and exfiltrate over 32GB of data.
DPP became aware of the breach when the National Crime Agency informed them that stolen client data had surfaced on the dark web. However, they did not consider it to amount to a personal data breach and so did not report the incident to ICO until 43 days after they became aware of it. The law requires breaches to be reported within 72 hours of awareness in most cases.
Lessons for all organisations
This case serves as a clear reminder that data protection is a legal obligation – not a technical afterthought. According to the ICO’s interim Director of Enforcement and Investigations, Andy Curry:
“Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access… This penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”
There are several key lessons organisations can take from this incident:
- Multi-Factor Authentication (MFA) is essential – Especially for administrator or privileged accounts. It adds an extra layer of security that could prevent unauthorised access even if passwords are compromised.
- Legacy systems need regular attention – Even if systems are infrequently used, they still pose a risk if left unpatched or unsecured.
- Monitor for unusual access or activity – Regular security scans and alerts can help spot intrusion attempts early.
- Know your breach reporting obligations – If there is a risk to individuals’ rights or freedoms, breaches must usually be reported to the ICO within 72 hours.
- Cybersecurity is an ongoing responsibility – The law expects organisations to proactively assess and update their cybersecurity measures.
Are there any resources available to help?
The ICO provides guidance to help organisations of all sizes understand their responsibilities around data security. You might find it helpful to look at their cyber report: Learning from the mistakes of others.
