Tuckers Solicitor LLP – €114,660 Fine (United Kingdom, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The UK Information Commissioner's Office fined Tuckers Solicitors over 114,000 euros after a ransomware attack exposed sensitive legal documents. The firm failed to secure its systems properly, leading to personal data being published on the dark web. This case highlights the importance of strong cybersecurity measures to protect sensitive information.
What happened
Tuckers Solicitors suffered a ransomware attack that encrypted and exposed sensitive legal documents on the dark web.
Who was affected
Individuals involved in legal cases whose personal data, including medical files and witness statements, were part of the compromised court bundles.
What the authority found
The ICO found that Tuckers Solicitors did not have adequate security measures in place, violating GDPR's requirements for protecting personal data.
Why this matters
This case underscores the critical need for law firms and other businesses handling sensitive data to implement robust cybersecurity measures. It serves as a warning that inadequate protection can lead to severe consequences, including fines and reputational damage.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Tuckers Solicitors (Tuckers) is a limited liability partnership of solicitors and is the data controller. On 24 August 2020, Tuckers became aware that its systems were hit by a ransomware attack. On 25 August 2020, Tuckers determined that the hit had resulted in a personal data breach. It notified the same to the UK DPA (ICO) on the same day and stated, “attack had resulted in the encryption of civil and criminal legal case bundles stored on an archive server. Backups were also encrypted by the attacker”. In total, “972,191 individual files were encrypted. Of these, 24,711 related to court bundles. Of the 24,711 court bundles, 60 were exfiltrated by the attacker” and published on the dark web. As per Tuckers, “the bundles included a comprehensive set of personal data, including medical files, witness statements, name and addresses of witnesses and victims, and the alleged crimes of the individuals.” Tuckers notified 53 parties (out of the 60) whose bundles were released, as per Article 34 GDPR. On 27 August 2020, Tuckers appointed a third-party investigator to provide a 'Cyber Security Incident Response Report'. The investigators could not find the source of the attack but found “evidence of a known system vulnerability” that could have been used to access Tucker’s networks and exploit them. Subsequently, the investigators released a patch, which Tucker incorporated in its systems in June 2020. In September 2020, Tuckers informed the ICO that it had “moved its servers to a new environment and the business was now back to running as normal, albeit without the restoration of the data that had been compromised by the attacker.” The ICO held that “primary culpability for this incident rests with the attacker”. However, Tuckers violated Article 5(1)(f) GDPR as its “technical and organisational measures areas were, over the relevant period, inadequate”. The same was based on the reading of Article 32 GDPR which mandates “a controller when implementing appropriate securi
Related Enforcement Actions (0)
No other enforcement actions found for Tuckers Solicitor LLP in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
28 February 2022
Authority
Information Commissioner's Office
Fine Amount
€114,660
98,000 GBP
GDPRhub ID
gdprhub-4766About this data
Cite as: Cookie Fines. Tuckers Solicitor LLP - United Kingdom (2022). Retrieved from cookiefines.eu
Last updated: