Peter A Clarke

Law firms are a prime target for data breaches. They hold significant personal information and sensitive information of corporations and government agencies. The UK Information Commissioner’s Office has imposed a very hefty fine of 60,000 pounds on the Merseyside-based DPP Law Ltd following a cyber attack in June 2022 which resulted in the loss of 32GB of data. The firm only became aware of this loss when it was contacted by the National Crime Agency which advised it that the data had been posted on the dark web. DPP Ltd had poor cyber security with a brute force attack being sufficient to gain access to an administrator’s account and then having the ability to move laterally across its network.  That bespeaks a very rudimentary system.  Then after being notified of the breach it regarded the loss of personal information as not constituing a personal data breach.  It waited 43 days before notifying the ICO.  It is a case study of what not to do.  Which in fact the ICO has done in publicising the litany of errors committed.

The ICO media release provides:

Cyber attack details

In June 2022, DPP suffered a cyber attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system. This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to their clients had been posted on the dark web. DPP did not consider that the loss of access to personal information constituted a personal data breach, so did not report the incident to us until 43 days after they became aware of it.

You can read the full details of the incident in our monetary penalty notice.

Legal requirements and our guidance

The law requires organisations to take continual and proactive steps to protect themselves against cyber attack. This includes ensuring all IT systems have MFA or equivalent protection, regularly scanning for vulnerabilities and installing the latest security patches without delay.

We have detailed guidance to help organisations understand their security obligations, including the duty for all organisations to report personal data breaches.

Last year we published a cyber report, Learning from the mistakes of others, providing insights for people responsible for compliance with data protection legislation and cyber security at their organisation.

Australian firms have been hit with significant and damaging data breaches recently. The HWL Ebsworth data breach via a cyber attack in April 2023. resulted in approximately 2.2 million documents being affected. The Information Commissioner opened an investigation in February 2024, 14 months ago. There has been no public resolution of that investigation. It is the subject of a class action, with the National Justice Project is now representing 12 National Disability Insurance Scheme (NDIS) participants in a class action against HWL Ebsworth. In March cyberdaily reports in Brydens Lawyers suffers alleged 600GB data breach following ransomware attack that the firm had suffered a significant data breach in February 2025. Also in February 2025 Slater and Gordon suffered a humiliating data breach by Read the rest of this entry »

The Information Commissioner’s Office (“ICO”) has published a review into the gathering of children’s data from services supplying them with current accounts, savings accounts, trust accounts, ISAs and prepaid cards. Given the greater concern about children’s privacy, long overdue, it is prudent to look at the review and consider what is being done in Australia.  What is clear is that failure to maintain proper standards with organisations will, if there is some data breach or other issue, result in acute embarrassment for organisations if the regulator reviews its processes and procedures.  Given the Privacy Commissioner now has powers to issue infringement notices/ compliance notices rather than going to the delay and expense of long and drawn out investigations and civil penalty proceedings this is a factor organisations should consider carefully.

Some of the findings from the review are:

• 69% of participants had policies and procedures in place to control the use of children’s data;
• only 67% of those organisations proactively monitored compliance with their policies and procedures.
• 45% of participants had limited assurance that staff are processing children’s information in line with internal or even legislative requirements.
• only 14% of participants had assigned responsibility for children’s data in policy or relevant job descriptions
• while 97% of participants provided staff with general data protection training however, only 18% of participants included content about the use of children’s personal information
• while 49% of participants say they provided children with age appropriate privacy information ess than a quarter of all participants have carried out any testing to check how easily children would understand their privacy information
• only 36% of children’s savings account products which are opened by parents but transferred to the child at 16 provided the child with privacy information during the transfer process
• When opening a child owned savings account, 83% of participants provided children with privacy information
• 5% of participants also required children to acknowledge that they have read the privacy information, usually recorded by signing the application form
• only 11% of these participants actually carried out any assessment as to whether children are competent enough to understand their notice
• 66% of participants indicated it would be the parent’s (where they are present) responsibility to ensure the child understood privacy information and no attempt would be made to confirm the child understood the privacy information
• 66% of participants reviewed the categories of information they collect on a regular basis to make sure it is limited to what is necessary
• 40% of participants collected special category data, limited to health data and will only be processed having obtained explicit consent.
• 24% of participants relied on consent obtained from the child to process their information for specific purposes. However, 42% of those participants relied on acknowledgement of information provided within privacy information or key facts documents to obtain the consent. This did not meet the requirements of the UK GDPR
• 88% of participants had no process in place to assess a child’s understanding of their data protection rights. For 34% of these participants this was because they had preset age limits which determined whether a child was able to exercise their rights or not.  n most cases this age limit was set at 13 years old although some participants had set this age as high as 16 years old.
• 20% of participants who offer products which process children’s information, but are controlled by parents, did not allow children to access their information or exercise this right at any age
• 96% of participants had an embedded process for verifying the age of children when an account is opened
• 63% of participants had a policy in place to govern communications provided to children, including marketing material. For 83% of participants the policy prohibited the provision of marketing material to children.
• 75% of participants provided communications which included general information about the service provider and also administrative account information. 29% of participants provided communications containing general organisational administrative information. 8% of participants provided marketing communications to children
• 33% of participants had a process in place to regularly update the contact information they hold
• Only 8% of participants required children to have access to their own email and/or phone to enable them to open an account, however if children did have these, then this information was recorded in the majority of cases where the child has some control over the account (current or savings accounts). 76% of participants used parents contact information such as email or phone to provide communications.
• Of the participants who do allow marketing to children, 75% of them included opt in and opt out options on the account application form.  The remaining 25% of participants sought consent from the parent only.

The Executive Summary Read the rest of this entry »

23andMe is, or more accurately was, a personal genomics company. It collected genetic information. That is very sensitive. It suffered a data breach in October 2023 when hackers exploited an old password resutling in them gaining access to 6.9 million people. It became the subject of litigation and in June 2024 investigation by the Canadian Privacy Commissioner and the UK Information Commissioner. Early in March the ICO released a notice of intent to fine 23andMe with a 4.59 million fine. 23andMe has just filed for Chapter 11 bankruptcy protection. At minimum that means a restructure. It may continue operating after the restructure. That has raised serious security concerns about the genetic data it holds. The New York Attorney General has urged customers to contact the company to delete their data. In What users need to know about privacy and data after 23andMe’s bankruptcy filing the Conversation sets out the privacy and data management issues from this . That does not alter 23andME’s obligations to protection personal information.

The Conversation’s piece Read the rest of this entry »

The UK Information Commissioners Office (“ICO”) has fined Advanced Computer Software Group Ltd (“Advanced”) some £3.07 million for inadequate security which resulted in a a ransomware attack in August 2022 which  disrupted the operation of NHS services and impacted 79,404 people. The ICO found the Advanced’s security measures fell seriously short of what that  expect from an organisation processing  a large volume of sensitive information. 

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. Hackers were able to access Advanced’s systems via a customer account. Access to that account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people.  That included, with respect to 890 people receiving home care, details of how to gain entry to their property. 

Last year, the ICO signalled its intention to fine Advanced £6.09m. After considering Advanced’s submissions it reduced the fine to  £3.07m. One but not the only reason for the reduction was Advanced’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.  Other factors were Advanced’s notification to customers within 24 hours of discovery irrespective of whether they were affected, providing a team of 18 people to restore  infrastructure and engaging external experts to undertake a forensic investigation and analysis of the data impacted.  Advanced also undertook a comprehensive review of potentially impacted data.  There are lessons in the Australian context.  It is important for an organisation to react quickly, decisively and engage with all relevant authorities. That means having a plan.

The statement provides:

The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.?  Read the rest of this entry »

The Times reports that the first permanent facial recognition cameras have been installed in London.  It is a being touted as a pilot project but it may be precursor to the scheme being extended across London.  The Information Commissioner’s Office has released guidance on the use of the facial recognition, described as Biometric recognition.  It has also issued specific guidance for Live Facial Recognition Technology for police. There has been significant cases of misuse of facial recognition technology and its privacy implications. The misuse of facial recognition by police is well documented.  And it is misused by the private sector. In February 2024 the ICO ordered Serco Leisure to stop using facial recognition to monitor employee attendance.   The use of CCTV technology and facial recognition technology is more extensive in the United Kingdom than in Australia.  That said, the regulator is quite active in reviewing its operation and the legislation is more rigorous than in Australia. 

It is likely that the use of the facial recognition technology will quickly become more widespread, especially with the use of AI.  Doing so without propely adhering to the provision of the Privacy Act 1988 may attract the attention of the regulator.  On 19 November the Privacy Commissioner published a determination finding Bunnings use of facial recognition breached the Privacy Act.  On the same day the Privacy Commissioner published a guidance on the use of facial recognition technology. It is critical that organisations contemplating using this technology understand their obligations under the Privacy Act 1988.

The Times article provides:

Facial recognition cameras that scan for wanted criminals are being installed permanently on UK high streets for the first time.

The Metropolitan Police will permanently put up live facial recognition (LFR) cameras in Croydon, south London, as part of a pilot project that may see the scheme extended across the capital. Read the rest of this entry »

The most active form of regulation in privacy across the world now relates to protecting children and limiting the data taken from them and used by businesses. The UK Parliament passed the Online Safety Act 2023. The Act imposes new duties on social media companies and search services, making them more responsible for their users’ safety on their platforms. Those new duties include implementing systems and processes to reduce risks that their services are used for illegal activity, and to take down illegal content when it does appear.  Regarding children, platforms are required to prevent children from accessing harmful and age-inappropriate content and provide parents and children with clear and accessible ways to report problems online when they do arise. The main regulator Ofcom has set out an age check guidance regarding accessing online pornography.  The Information Commissioner has had a code of practice for some time regarding the developing an age appropriate design for online platforms. The core of the code are 15 standards.

The 15 standards are:

1. Best interests of the child

2. Data protection impact assessments

3. Age appropriate application

4. Transparency

5. Detrimental Read the rest of this entry »

Employees accessing personal information for purposes other than which that information was collected is a chronic problem. Sometimes the interest is family or friends personal information, breaching confidentiality, police unlawfully accessing personal information and sometimes it is hacking by organisations. There are endless ways personal information can and often are illegally accessed. The key is proper training and proper computer systems.

The Information Commissioner’s actions in prosecuting an insurance worker in Manchester for unlawfully accessing personal information in relation to accident claims. 

The ICO’s media release Read the rest of this entry »

When it comes to poor data security practices and serious data breaches the police and health service providers are generally amongst the worst performers. Both have serious cultural problems in properly treating personal information confidential. Both often have serious system problems, especially with their IT. The UK Information Commissioner’s fine of 750,000 of the Police Service of Northern Ireland is the most recent example. Here the breach was the very common human error of uploading a document onto a webpage.  That happens quite regularly.  Here the document contained the personal information of all employees of the Northern Ireland Police Service.  The consequences were baleful.  The quality assurance processes failed.  While the personal information was viewable for only 3 hours the Police Service are working on the assumption that the information was accessed by dissident republications who would use to intimidate.

The media release provides 

We have fined Police Service of Northern Ireland (PSNI) £750,000 for exposing the personal information of its entire workforce, leaving many fearing for their safety.
Our investigation found that simple-to-implement procedures could have prevented the serious breach, in which hidden data on a spreadsheet released as part of a freedom of information request revealed the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff.
Mindful of the current financial position at PSNI and not wishing to divert public money from where it is needed, the Commissioner used his discretion to apply the public sector approach in this case. Had this not been applied, the fine would have been £5.6 million.

Summary of the breach

On 3 August 2023, PSNI received two freedom of information requests from the same person via WhatDoTheyKnow (WDTK). The first asked for “… the number of officers at each rank and number of staff at each grade …”, the second asking for a distinction between “how many are substantive / temporary / acting …”.
The information was downloaded as an Excel file with a single worksheet from PSNI’s human resources management system (SAP). The data included: surnames and first name initials, job role, rank, grade, department, location of post, contract type, gender and PSNI service and staff number.

As the information was analysed for disclosure, multiple other worksheets were created within the downloaded Excel file. On completion, all visible onscreen worksheet tabs were deleted from the Excel file. The original worksheet, containing the personal details, remained unnoticed and this was also not picked up despite quality assurance. The file was subsequently uploaded to the WDTK website at 14:31 hours on 8 August.
PSNI was alerted to the breach by its own officers at approximately 16:10 hours the same day. The file was hidden from view by WDTK at 16:51 hours and deleted from the website at 17:27 hours.
Six days later, PSNI announced they were working on the assumption that the file was in the hands of dissident republicans and that it would be used to create fear and uncertainty and for intimidation.
John Edwards, UK Information Commissioner said: Read the rest of this entry »

Law firms are prime targets for data breaches. One need only look at the recent massive data breach at HWL Ebsworth. Entry into law firms can be through a range of third party providers such as IT services. The UK Information Commissioner has reprimanded a UK Law Firm, Levales for breaching the General Data Protection Regulation. The incident affected 8,234 UK individuals, of which 863 individuals were deemed at high risk because of the nature of the data involved.

According to the reprimand:

• The breach occurred after an unknown threat actor gained access to the secure cloud based server via legitimate credentials, later publishing the data on the dark web
• 8,234 UK data subjects were affected, of which 863 were deemed to be at ‘high-risk’ of harm or detriment due to the special category of data including criminal data pertaining to ‘homicide, terrorism, sexual offences, offences involving children or particularly vulnerable adults’.
• the data involved was:
  • Name
  • Data of Birth
  • Address
  • National Insurance Number
  • Prisoner Number
  • Health Status
  • Details of Criminal allegations not charged
  • Details of Criminal allegations prosecuted
  • Outcomes of investigations and prosecutions
  • Details of complainants and victims both adult and children
  • Previous Convictions
  • Legally privileged information and advice
• Levales did not implement appropriate technical and organisational measures to ensure their  systems were secure because while outsourcing their IT management to a third party were unaware of security measures in place such as detection, prevention, and monitoring.
• Levales had not reviewed if the technical measures associated with the contract, were appropriate for the personal data they were processing since the contract was first signed in 2012.

Read the rest of this entry »

Cyber attacks on service providers working for large institutions, especially in the health sector, are common. Health Services often contract out IT services, as they did with Advanced Computer Software Group Ltd (Advanced). Unfortunately organisations and agencies spend insufficient time in ensuring that those contractors maintain adequate cyber protections and proper training regimes for their staff. Advanced provided IT services and handled personal information collected by the UK National Health Service in its capacity as a data processor. In August 2022 Advanced was hit with a ransomware attack which also involved personal information of 82,946 people being exfiltrated. NHS was impacted in not being able to access patient records. The ICO has announced that it will fine Advanced 6.09 million pounds.

The announcement provides:

We have provisionally decided to fine Advanced Computer Software Group Ltd (Advanced) £6.09m, following an initial finding that the provider failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.  

Advanced provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, and handles people’s personal information on behalf of these organisations as their data processor. Read the rest of this entry »