Why a Merseyside-based Law Firm received a £60,000 penalty notice following a Cyber Attack

Introduction

On 16th April 2025, a penalty notice for £60,000 was released by the Information Commissioner’s Office (ICO). This followed an investigation of a security incident that took place in June 2022 at a Merseyside-based law firm. This penalty notice is important to understand as it can help us prevent similar incidents and also learn more about penalties relating to data protection. In this article, we review the penalty notice, examine the extent of the exposure, identify key lessons learned, explore how the cyber attack occurred, and highlight the benefits of Cyber Essentials.

Incident Overview

In June 2022, the law firm suffered a cyber attack that affected its IT systems for over a week. Unauthorised access appears to have been established via a brute force (username/password guessing) attack. Following this initial access, threat actors are reported to have exfiltrated data and deployed ransomware. 32.4GB of data later appeared on the dark web, including Word documents, photos, and video relating to clients and experts. Key learnings suggest a lack of appropriate security measures (multi-factor authentication, over-privileged account, lack of risk assessment) and failure to notify the Information Commissioner’s Office within 72 hours of becoming aware of a notifiable data breach.

Brute Force Attack, followed by Ransomware

• Brute force and ransomware attacks are favoured by threat actors.
• For initial access, a brute force attack gains unauthorised access to an account through the guessing of multiple combinations, until the correct combination is found.
• Once this initial point of weakness is exploited, the threat actor may attempt to traverse through the network, set up a ‘command and control’ situation, infect devices, and covertly copy or move data
• By encrypting systems and data, a threat actor can impact operations, further threaten the impacted organisation, and add leverage that the data has been exfiltrated
• The more valuable the data, the more leverage the threat actor may have 

An illustration of a common ransomware attack chain is shown below.

Data Breach and Impact

The report states that the threat actor gained access to personal data (of 791 data subjects) and sensitive data (including DNA, legal, and criminal offences). The law firm’s systems were not operating properly for around one week.

Key findings

Article 32 of the UK Data Protection Act 2018 (UK GDPR) refers to appropriate measures being in place relating to the protection of data.Article 33 requires controllers to notify the Commissioner within 72 hours of becoming aware of a personal data breach. This applies unless the breach is unlikely to risk the rights or freedoms of individuals. The ICO review determined that the law firm: 

• “Failed to implement appropriate technical and security measures” 
• “Failed to audit and adequately manage accounts”

• “Did not notify the Commissioner within 72 hours of becoming aware that the cyber incident had caused a notifiable personal data breach.”

ICO statements made in conjunction with the penalty notice include:

• “In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cyber security frameworks and act responsibly in putting in place robust measures to prevent similar incidents.”

• “Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the incident.”

• “Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”

This penalty notice therefore serves as a helpful reminder that:

• As well as an organisational need for appropriate security measures, data controllers are required to notify the ICO within 72 hours of a notifiable personal data breach.

Links with Cyber Essentials 

• Cyber Essentials focuses on the implementation of five technical controls and references the use of multi-factor authentication and least privilege account management.
• The ICO report references the Cyber Essentials scheme and notes that at the time of the incident, the law firm did not have Cyber Essentials.
• Supply chain risk can be managed by mandating that suppliers and partners are Cyber Essentials certified. 

Lessons Learned 

• Brute force: threat actors use password-guessing techniques to try and gain unauthorised access to accounts. 
• Multi-factor authentication: MFA can add an extra layer of security to further protect accounts from attacks such as brute force. Please see our previous blog for more details on how MFA relates to the Cyber Essentials scheme.
• Least privilege: granting users only the level of access required to perform their role minimises the risk of authorised access and personal data breaches. Please see our previous blog for more details on how User Access control relates to the Cyber Essentials scheme.
• Supply Chain Management: Operational impact can be managed by mandating Cyber Essentials in the supply chain.
• Data Protection is crucial for organisations – penalties can be issued for lack of appropriate security measures and for not informing the ICO within 72 hours of a notifiable data breach.
• Cyber Essentials risk reduction: Implementing the technical controls can help reduce the risk of data breaches, penalty notices, and fines.
• Penalty notice detail: dpp-law-ltd-monetary-penalty-notice.pdf.

Conclusion

A penalty notice of over £60,000 was issued by the Information Commissioner’s Office on 16th April 2025, relating to a cyber attack that took place in June 2022. The initial point of attack was linked to a brute force attack against a law firm. The attack resulted in the loss of personal data relating to 791 data subjects. Sensitive personal data was also exposed. The ICO identified that the law firm failed to implement appropriate security measures to protect personal data. Additionally, they did not report the data breach within the required 72-hour window, breaching Articles 32 and 33 of the UK GDPR. Controls associated with multi-factor authentication and least privilege are referenced in more detail within the report. The Cyber Essentials scheme requires five technical controls to be in place to prevent common forms of cyber attack, such as ransomware, and makes reference to multi-factor authentication and least privilege.

How We Help

At RB Consultancy Ltd, we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:

• NCSC Cyber Advisor certified – we’re proven to help organisations understand and implement technical controls.
• Vulnerability Assessment Plus certified – we have skills and tools to identify weaknesses, risk rank findings to support prioritisation, and provide remediation advice to enable swift action to be taken.
• IASME Cyber Essentials Plus Assessor certified – we’ve been tested to assess organisations against the requirements and provide advice on how to apply fixes.  
• Cyber Essentials Plus Certification Body certified – we’re trusted to issue certificates to organisations that have met the required standards.

If you would like assistance with implementing controls or with Cyber Essentials / Cyber Essentials Plus certification, contact us for support.