In April 2025, the UK’s Information Commissioner’s Office (ICO) issued a £60,000 fine to a law firm following a serious cyber attack that exposed highly sensitive personal data on the dark web. The case serves as a stark reminder that robust cybersecurity and timely breach reporting are not optional extras, but legal obligations—particularly for organisations handling sensitive information. Read the full article here.
What Happened?
The firm suffered a cyber attack in June 2022 that disrupted access to its IT systems for more than a week. A subsequent investigation revealed that attackers gained unauthorised access through a little‑used administrator account that did not have multi‑factor authentication (MFA) enabled.
Once inside the system, the attackers were able to move laterally across the network and extract a large volume of data. The firm only became aware of the scale of the breach when the National Crime Agency contacted it to say client information had appeared on the dark web.
Given the firm’s areas of practice—including criminal law, sexual offences, family matters, and actions against the police—the compromised data contained highly sensitive and confidential personal information, including legally privileged material.
Key Failings Identified by the ICO
The ICO found that the firm failed to implement appropriate technical and organisational measures to protect personal data, in breach of UK GDPR requirements. Key failings included:
- Allowing an administrator account with excessive privileges to remain active without MFA
- Insufficient protection of electronically held personal data
- A lack of effective controls to prevent unauthorised access
These shortcomings meant the firm did not adequately safeguard the sensitive information entrusted to it by clients, leaving that data vulnerable to cybercriminals.
Delayed Breach Notification
The ICO also highlighted serious failings in the firm’s response to the incident. The firm did not report the personal data breach to the ICO until 43 days after becoming aware of it, significantly exceeding the 72‑hour reporting requirement under the UK GDPR.
The firm initially believed that the loss of access to data did not constitute a reportable personal data breach—a misunderstanding the ICO made clear was incorrect.
ICO’s Message to Organisations
Andy Curry, Interim Director of Enforcement and Investigations at the ICO, emphasised that data protection is a legal obligation, not a choice. He stated that the fine should act as a clear warning that failure to protect personal data can lead to serious financial and reputational consequences.
By publicising this enforcement action, the ICO aims to reinforce the importance of regularly assessing cybersecurity frameworks and taking proactive steps to prevent similar incidents.
Lessons for Law Firms and Beyond
This case offers important lessons not just for law firms, but for all organisations handling personal and special category data:
- Enable multi‑factor authentication on all privileged accounts, even those used infrequently
- Regularly review access controls and legacy systems
- Understand what constitutes a reportable data breach under the UK GDPR
- Act quickly when incidents occur—both to contain risk and to meet regulatory obligations
The firm’s fine underlines that cybersecurity lapses, even when unintentional, can have long‑lasting consequences.