DPP Law Ltd. – €70,200 Fine (United Kingdom, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
DPP Law Ltd was fined after a cyber-attack exposed sensitive client data due to poor security measures. The UK data protection authority found that the company failed to protect personal information and did not report the breach on time. This incident underscores the critical importance of strong data security practices for all businesses.
What happened
DPP Law Ltd suffered a cyber-attack that compromised 32GB of sensitive client data.
Who was affected
Clients of DPP Law Ltd whose personal and sensitive information was exposed in the breach.
What the authority found
The authority ruled that DPP Law Ltd violated GDPR by not implementing adequate security measures and failing to report the breach within the required timeframe.
Why this matters
This case serves as a warning that businesses must prioritize data security and have protocols for timely breach reporting. Companies should regularly assess their security measures to protect sensitive information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
In June 2022, DPP Law Ltd (controller) suffered a cyber-attack. Threat actors were able to obtain administrator status on a legacy case management system and extract 32GB worth of data. The data was comprised of Court documents, PDFs, photos and videos relating to their clients, some of which related to sexual offences and child sexual abuse material. In July 2022, the National Crime Agency (NCA) informed the controller that some of their data was published on the dark web. 43 days after the incident, the controller reported the breach to the ICO (UK DPA). The DPA found that the controller infringed the integrity and confidentiality principle in Article 5(1)(f) UK GDPR & the obligation to implement appropriate technical and security measures under Article 32(1) UK GDPR. The DPA’s investigation identified critical failings in the controller’s network security which allowed the cyber-attack. The account through which the threat actors gained access, sqluser, was over-privileged and allowed full access to the controller’s network. This account was not needed by the controller on a day-to-day basis and should have been identified as a risk in an audit. The legacy case management system in use was also shown to have been outdated as support for the system had also ended in 2019. The DPA also found that the controller infringed the obligation to report a personal data breach to the DPA withing 72 hours under Article 33(1) GDPR. The DPA was critical of the fact that the controller’s notification came 43 days after the breach and after the communication from the NCA. The DPA accepted that the controller focused their efforts on getting their systems working again, but noted that the risks posed to data subjects were not properly assessed and addressed at the time of the breach. In assessing the amount of the fine to impose, the DPA was influenced by the sensitivity of the personal data in question, the extent of the controller’s negligence, and the need for a dissuasive
Related Enforcement Actions (0)
No other enforcement actions found for DPP Law Ltd. in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
14 April 2025
Authority
Information Commissioner's Office
Fine Amount
€70,200
60,000 GBP
About this data
Cite as: Cookie Fines. DPP Law Ltd. - United Kingdom (2025). Retrieved from cookiefines.eu
Last updated: