Hackers gained access to the IT systems of criminal defence firm Tuckers Solicitors LLP and compromised more than 24,700 court bundles containing sensitive data such as medical files and witness statements.

The files were encrypted by the attackers, while 60 of them – 15 relating to criminal court proceedings and 45 relating to civil proceedings – were also exfiltrated and released on the dark web.

Following an investigation, the ICO concluded that Tuckers had contravened Article 5(1)(f) GDPR because of “data security contraventions” and “inadequate” technical and organisational measures to protect sensitive data.

In particular, the privacy watchdog noted the lack of multi-factor authentication (MFA) for remote access to the Tuckers systems, the slow pace at which software vulnerabilities were patched and a failure to encrypt personal data.

The firm was aware prior to the attack that its security was not at the level of the NCSC Cyber Essentials, having been assessed against the criteria and failing to meet crucial aspects.

“Given the personal data that Tuckers was processing, including special category data of very vulnerable individuals, the Commissioner believes that it is reasonable to expect that the security within Tuckers should have not only have met, but surpassed the basic requirements of Cyber Essentials,” the ICO said.

“The fact that some 10 months after failing Cyber Essentials it had still not resolved this issue is, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.”

The ICO ultimately decided to impose a penalty of £98,000 to be paid by 29 March 2022 at the latest.

A spokesperson for Tuckers Solicitors told the Law Society Gazette: “Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available.

“We have cooperated in full with the ICO and City of London Police in their investigation. The commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker.

“But for the attacker’s criminal actions, regardless of the state of the security, the breach would not have occurred. Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system.”