The Information Commissioner’s Office (ICO) has reprimanded a law firm after a cyber-attack led to a data breach and four fraudulent payments being made on a probate matter.
It criticised County Durham firm Swinburne Snowball & Jackson (SSJ) for not having sufficient protections in place and not knowing it had to report data breaches to the ICO.
A notice published yesterday said a spear phishing attack on an employee Outlook email account “interfered with payments to beneficiaries of a probate matter”.
Four fraudulent payments were identified but the ICO redacted how much money was involved. It was repaid by the firm around two weeks later.
The first malicious sign-in occurred on Monday 11 January 2021 but the firm did not realise for three days and the account password was only changed on 15 January.
SSJ then reported the matter to its personal data insurer and the Solicitors Regulation Authority (SRA), and the ICO 11 days later.
The ICO investigation found that SSJ did not have a “suitable contract in place with its IT provider that defined security responsibilities or the level of security required”.
As a result, the firm was unable to demonstrate if or how “preventative, detective or auditing measures were implemented with regards to its email accounts”.
SSJ also did not have multi-factor authentication (MFA) in place for the affected email account, saying its IT contractors had not previously recommended this.
However, the ICO noted that the National Cyber Security Centre (NCSC), SRA and Law Society all “promoted the use of strong or multi-factor authentication” to make unauthorised access more difficult.
The ICO went on: “Given the nature of SSJ’s business and the scope of information it processes and has access to, including financial transactions, it would be anticipated that appropriate security measures, such as MFA, or formal accreditations, such as the NCSC’s Cyber Essentials, would be in place to protect this data. Post incident, SSJ has indicated it has implemented MFA.”
SSJ started but did not complete accreditation to the NCSC’s Cyber Essentials scheme, while SSJ also has the Law Society’s Lexcel quality mark, which says firms should have Cyber Essentials.
As a result, the ICO found that SSJ had failed to comply its obligations under the GDPR to process personal data securely and to have appropriate measures in place “to ensure a level of security appropriate to the risk and ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”.
In deciding that a reprimand was appropriate, the ICO acknowledged that SSJ had promptly notified affected individuals, repaid the money lost, commissioned a third-party cyber-security firm to investigate and sought advice and assistance with remedial measures from its IT consultants.
The ICO made a series of standard recommendations on governance, identity and access controls, technical control selection, staff training and awareness, and supply chain security, but stressed that these were not compulsory.
“However, if further information relating to this matter comes to light, or if any further incidents or complaints are reported to us, further regulatory action may be considered.”
Businesses have 72 hours to report a personal data breach to the ICO, unless it is unlikely to result in a risk to the rights and freedoms of an individual.
The regulator said: “In this instance, we understand from SSJ’s breach report that SSJ was initially unaware of the 72-hour deadline and focused primarily on identifying and containing the damage caused by the breach.
“SSJ further explained it was a small practice and had taken action to report to the SRA and insurers within 24 hours.”
The ICO said it was “concerned” that SSJ was not “immediately aware of the reporting requirements under the GDPR” and urged the firm to ensure staff were trained on them.
We have approached SSJ for comment.
Legal Features
