The Information Commissioner’s Office (ICO) has reprimanded a law firm for failing to protect sensitive client data, which was leaked onto the dark web.
- Hampshire-based Levales Solicitors LLP suffered a security breach after a threat actor accessed their secure server via compromised credentials.
- The firm lacked multi-factor authentication (MFA) and comprehensive password policies, contributing to the breach.
- Approximately 8,234 UK individuals were affected, with 863 at high risk due to exposure of sensitive data including criminal records.
- The ICO’s investigation highlighted insufficient security measures and the absence of rigorous IT oversight at Levales.
The Information Commissioner’s Office (ICO) reprimanded Levales Solicitors LLP, a law firm situated in Hampshire, due to their inadequate protection of client data. This incident resulted in sensitive information being exposed on the dark web. The firm, specialising in criminal and military law, was unaware of the security protocols managed by its third-party IT provider. Critically, the firm did not employ multi-factor authentication (MFA), a fundamental security measure that the ICO recommends all organisations handling personal data to implement, regardless of their risk assessment.
The breach occurred when an unknown threat actor accessed Levales’ secure server, utilising legitimate credentials, which led to the subsequent publication of the data on the dark web. In total, the breach affected 8,234 UK data subjects. Alarmingly, 863 individuals were categorised as being at ‘high risk’ of harm or detriment due to the exposure of sensitive categories of data such as charges, convictions, and legally privileged information regarding complainants and victims.
The ICO observed that Levales did not maintain the required confidentiality of its processing systems, citing non-compliance with Article 32(1)(b) of the General Data Protection Regulation (GDPR). The lack of MFA for the affected domain account and reliance on computer-generated prompts for password strength, without an established password policy, were noted as significant security oversights. Levales also could not confirm the method by which account credentials were compromised, signifying a lack of appropriate security scrutiny.
Additionally, the law firm had outsourced its IT management to a third party but failed to review whether the technical measures in place were suitable for safeguarding personal data since the initiation of their contract in 2012. The ICO emphasised the necessity for organisations to review and understand their contractual obligations with managed service providers to ensure data security.
In response to the reprimand, Levales has undertaken remedial actions, including the implementation of MFA across all user accounts, updating service contracts with third-party providers, and thoroughly reviewing its existing systems to prioritise necessary upgrades and enhance their firewall protections.
The ICO’s reprimand of Levales Solicitors underscores the critical importance of rigorous IT security measures and regular oversight to protect sensitive client data effectively.
