UK Information Commissioner’s Office reprimands UK law firm Levales Solicitors for poor protection of data which were affected by a data breach

October 16, 2024 |

Law firms are prime targets for data breaches. One need only look at the recent massive data breach at HWL Ebsworth. Entry into law firms can be through a range of third party providers such as IT services. The UK Information Commissioner has reprimanded a UK Law Firm, Levales for breaching the General Data Protection Regulation. The incident affected 8,234 UK individuals, of which 863 individuals were deemed at high risk because of the nature of the data involved.

According to the reprimand:

  • The breach occurred after an unknown threat actor gained access to the secure cloud based server via legitimate credentials, later publishing the data on the dark web
  • 8,234 UK data subjects were affected, of which 863 were deemed to be at ‘high-risk’ of harm or detriment due to the special category of data including criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’.
  • the data involved was:
    • Name
    • Data of Birth
    • Address
    • National Insurance Number
    • Prisoner Number
    • Health Status
    • Details of Criminal allegations not charged
    • Details of Criminal allegations prosecuted
    • Outcomes of investigations and prosecutions
    • Details of complainants and victims both adult and children
    • Previous Convictions
    • Legally privileged information and advice
  • Levales did not implement appropriate technical and organisational measures to ensure their  systems were secure because while outsourcing their IT management to a third party were unaware of security measures in place such as detection, prevention, and monitoring.
  • Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.

It was reported in the Law Society Gazette. It provides:

A Hampshire law firm has been reprimanded by the data watchdog after hackers were able to access client details because of insufficient security measures. 

Levales Solicitors LLP, which specialised in criminal and military law, was found by the Information Commissioner’s Office to have failed to ensure the confidentiality of its processing systems.

An ‘unknown actor’ had accessed the firm’s secure cloud-based server and later published the data on the dark web. The material stolen included names, addresses, national insurance numbers, prisoner numbers and health status of clients.

In total, 8,234 UK data subjects were affected. Of these, 863 were deemed to be at ‘high-risk’ of harm or detriment due to the special category of data including data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’.

The ICO said Levales had breached regulations requiring that organisations to ‘ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services’.

Levales did not have multi-factor authentication (MFA) for the affected domain account and relied on computer prompts for the management and strength of passwords. The hackers were able to gain access to the administrator level account through compromised account details, and the firm has not been able to confirm how these were obtained.

The ICO said multi-factor authentication is a ‘basic measure’ which firms processing personal data would be expected to implement.

The commissioner added: ‘Levales Solicitors LLP did not implement appropriate technical and organisational measures to ensure their systems were secure. Levales outsourced their IT management to a third party and were unaware of security measures in place at the time of the incident, such as detection, prevention, and monitoring.

‘Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.’

The firm said it had taken remedial steps in the light of the incident. This includes the introduction of MFA for all user accounts, updated service contracts with third party providers, and a complete review of existing systems.

Given these changes, the ICO said a reprimand was an appropriate penalty.

Leave a Reply





Verified by MonsterInsights