In a significant data breach incident, the Information Commissioner’s Office (ICO) has formally reprimanded a law firm following the exposure of sensitive client information on the dark web.
The incident involved Hampshire-based firm Levales, which specialises in criminal and military law. A breach occurred when an unidentified threat actor accessed the firm’s secure cloud-based server using legitimate credentials. Subsequently, they published the compromised data on the dark web.
Levales was criticised by the ICO for failing to implement essential security measures, such as multi-factor authentication (MFA), and for their lack of awareness regarding the security protocols managed by their third-party IT provider. At the time of the breach, the firm was reliant on computer prompts for password management and lacked a formal password policy.
The ICO uncovered that 8,234 individuals in the UK were impacted by the breach. Among these, 863 individuals faced a high risk of harm due to the exposure of special category data, which included sensitive information such as details of criminal charges, convictions, and legally privileged content.
According to the ICO, Levales did not ensure the confidentiality of processing systems in line with GDPR’s article 32(1)(b). The absence of MFA for the affected domain account was highlighted as a fundamental oversight, with the ICO stressing that MFA is a basic security measure that should be employed by organisations handling personal data.
Moreover, the firm outsourced their IT management without comprehensively reviewing whether the existing technical measures were adequate for safeguarding personal data. The ICO’s notice emphasised the necessity for regular reviews of contracts with managed service providers to ensure that data security obligations are fully understood and maintained.
In response to the reprimand, Levales has taken several remedial measures, including the introduction of MFA across all user accounts, updating service contracts with third-party providers, and a complete overhaul of their systems to prioritise firewall upgrades.
This incident underscores the increasing cyber threats facing the legal sector. The National Cyber Security Centre has recently published updated guidance to assist legal professionals in mitigating cyber risks.
The reprimand of Levales reflects the critical need for stringent data security practices, particularly in sectors handling sensitive information. Ongoing vigilance and adherence to robust security protocols remain vital to protect client data.
