In a striking reminder of the cyber risks facing legal professionals, Merseyside-based DPP Law Ltd has been fined £60,000 by the Information Commissioner’s Office (ICO) following a serious data breach. The breach resulted in highly sensitive client data being published on the dark web. DPP Law is appealing the fine, however the facts of the case raise urgent questions about how well law firms are safeguarding confidential information.
What was the data breach?
In June 2022, DPP Law, which specialises in criminal and family law, suffered a cyber attack that disrupted access to its IT systems for more than a week. A third-party consultancy later determined that:
- Hackers used brute-force tactics to access an infrequently used administrator account.
- The account did not have multi-factor authentication (MFA) enabled.
- Attackers gained access to a legacy case management system and moved laterally across the network.
- Over 32GB of personal and legally privileged data was stolen.
DPP only became aware of the breach when the National Crime Agency (NCA) informed them that their client data had been discovered on the dark web.
Surprisingly, the firm did not initially consider the incident a reportable personal data breach and failed to notify the ICO until 43 days later, well beyond the legally required timeframe under data protection law.
What did the ICO investigation find?
The ICO investigation concluded that DPP:
- Failed to implement adequate security controls, particularly MFA.
- Continued to use outdated and insecure legacy systems.
- Delayed reporting the breach, despite the clear legal obligation to do so.
Andy Curry, the ICO’s Director of Enforcement and Investigations, said:
“Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access… Data protection is not optional. It is a legal obligation.”
DPP Law is appealing the ICO’s conclusions. In a statement, Chief Executive Sue Christopher said:
“We disagree with the conclusions reached by the Information Commissioner’s Office, and we will be lodging an appeal. DPP Law holds the Law Society quality standard, Lexcel, and is Cyber Essentials certified, demonstrating our commitment to robust standards.”
Key data protection lessons for law firms
This breach should serve as a critical warning to all legal professionals handling sensitive, special category, or privileged information. Firms must ensure that their data protection standards are the highest possible given the sensitivity of the data they hold, plus that breach notification timelines are rigorously adhered to.
Multi-factor authentication is essential
All administrator and remote access accounts must have MFA enabled by default. This simple step could have prevented the initial access in this case.
Decommission legacy systems
Outdated platforms are often poorly secured. Audit and phase out legacy systems, especially those still connected to live networks.
Monitor for threats in real time
Invest in advanced threat detection and alerting tools. Relying on third parties like the NCA to notify you of a breach is far too late.
Know the rules on breach reporting
Under UK GDPR, personal data breaches must be reported within 72 hours. Waiting 43 days, as DPP did, significantly increases regulatory risk.
Certifications aren’t always enough
Being Cyber Essentials certified or Lexcel accredited doesn’t guarantee protection. Security must be proactive and continuously reviewed.
Make cybersecurity a leadership priority
Cyber risk isn’t just an IT issue—it’s a board-level responsibility. Senior leaders must understand the implications and act accordingly.
