DPP Law Fine - £60k - GDPR - ICO - April-25

QUICK FACTS

• Fine Amount: £60,000

• Date: 14 April 2025

• Primary Violations: GDPR Breaches

  • Infringements of UK GDPR Articles 5(1)(f), 32(1), 32(2) for failing to implement appropriate data security
  • Article 33(1) for failing to notify a data breach without undue delay.
    

Overview

The Information Commissioner’s Office (ICO) has issued a penalty of £60,000 to DPP Law Ltd, a UK-based law firm. The fine was imposed for serious failures to protect sensitive client data, which resulted in a significant cyber-attack where the personal data of 791 individuals was stolen and published on the dark web.

The ICO found that DPP Law infringed upon multiple articles of the UK General Data Protection Regulation (UK GDPR), specifically by failing to implement appropriate technical and organisational security measures.

The firm was also penalized for its failure to notify the ICO of the personal data breach within the mandated 72-hour period, waiting 43 days before reporting the incident.

Details of the CASE

DPP Law Ltd experienced a cyber incident on 4 June 2022. Attackers gained access to the firm's IT network, corrupted files, exfiltrated 32.4Gb of data, and published it on the dark web. The compromised data was highly sensitive, affecting 791 individuals, and included court bundles, privileged legal advice, police body-cam footage, and personal data of vulnerable clients.

The ICO's investigation found that the firm’s security failings had persisted for at least four years, from the implementation of GDPR in May 2018 until the date of the incident in June 2022. The regulator concluded that the breach was a result of DPP Law's negligence in its security practices.

KEY FAILINGS

DPP Law became aware of the incident on 4 June 2022, when its systems became inaccessible. However, the firm did not report the breach to the ICO until 17 July 2022, a delay of 43 days. This was only after being contacted by the National Crime Agency (NCA) about the data being found on the dark web. The firm demonstrated a lack of understanding that the initial loss of data availability constituted a notifiable breach under UK GDPR.

The attackers gained access by compromising a single, highly privileged administrator account. This account had inappropriate and excessive permissions, a direct violation of the well-established "principle of least privilege".

DPP Law failed to conduct a risk assessment on the compromised administrator account, despite being aware of its existence since at least 2011. The firm also failed to perform regular audits of user accounts to ensure they had appropriate privileges.

WORKED example

The ICO report highlights the 'sqluser' account as a critical point of failure:

• The account was created in 2001 for a legacy case management system that was taken out of service in April 2019.
• Despite its limited and outdated purpose, the account retained full, unrestricted administrator rights across the entire network. This allowed the threat actor to move laterally across systems after the initial compromise.
• DPP Law did not know the password for the account, could not reset it, and had not performed a risk assessment on it, viewing it as a supplier-managed account for which they were not responsible.
• Support for the system had ended in 2021, yet the over-privileged account remained active on the network.

fines and Penalties

Total Penalty: £60,000

The ICO determined this amount to be "effective, proportionate and dissuasive" after considering the medium seriousness of the infringements, DPP's turnover, and the need to deter both the firm and other organisations from similar failings.

Key quotes

• "DPP failed to adopt the principle of least privilege and failed to regularly audit administrative accounts on its network." 
• "By focusing its efforts on bringing its systems back online and neglecting to undertake an assessment of the risks posed to data subjects, DPP did not notify the Commissioner until 43 days after the Cyber Incident." 
• "The Commissioner finds that as an SRA regulated firm... DPP should have had greater awareness of the importance of compliance with the security principles under UK GDPR." 

Sources: 

• ICO - Penalty Notice - DPP Law Ltd.