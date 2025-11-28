A law firm was fined by the Information Commissioner’s Office (ICO) after more than 30 gigabytes of data were compromised in a cyber attack.

A malicious digital breach in 2022 exposed the inadequacies in the firm’s security measures.

The leaked information included court bundles, documents, photographs and video evidence.

The practice handles cases ranging from crime and family fraud, to sexual offences and actions against the police. It works with vulnerable clients including children and victims.

The sensitive nature of the information had the potential to jeopardise legal proceedings. The identities of protected victims and witnesses were also exposed.

Under the UK General Data Protection Regulation (GDPR), law firms must implement security measures that are appropriate to the rights and freedoms of their clients and their data.

At the time of the breach, the organisation’s email server stopped working and staff couldn't access the IT network.

The in-house IT manager investigated the issue and found all the organisation’s files had been corrupted. An external IT supplier suggested that a ransomware incident had occurred.

The organisation reviewed its firewall and server logs, and found there had been 400 attempts to access the network over the previous four months.

In line with UK GDPR and the Data Protection Act 2018, notifiable data breaches (those which pose a risk to individuals’ rights and freedoms) must be reported to the ICO within 72 hours of discovery.

However, the organisation stated it did not believe data had been compromised, so did not report the breach.

41 days after the incident, the National Crime Agency (NCA) informed the firm that client data had been published on the dark web.

Two days later, the firm reported the incident to the ICO.