DPP Law Ltd. – €70,200 Fine (United Kingdom, 2025)

In June 2022, DPP Law Ltd (controller) suffered a cyber-attack. Threat actors were able to obtain administrator status on a legacy case management system and extract 32GB worth of data. The data was comprised of Court documents, PDFs, photos and videos relating to their clients, some of which related to sexual offences and child sexual abuse material. In July 2022, the National Crime Agency (NCA) informed the controller that some of their data was published on the dark web. 43 days after the incident, the controller reported the breach to the ICO (UK DPA). The DPA found that the controller infringed the integrity and confidentiality principle in Article 5(1)(f) UK GDPR & the obligation to implement appropriate technical and security measures under Article 32(1) UK GDPR. The DPA’s investigation identified critical failings in the controller’s network security which allowed the cyber-attack. The account through which the threat actors gained access, sqluser, was over-privileged and allowed full access to the controller’s network. This account was not needed by the controller on a day-to-day basis and should have been identified as a risk in an audit. The legacy case management system in use was also shown to have been outdated as support for the system had also ended in 2019. The DPA also found that the controller infringed the obligation to report a personal data breach to the DPA withing 72 hours under Article 33(1) GDPR. The DPA was critical of the fact that the controller’s notification came 43 days after the breach and after the communication from the NCA. The DPA accepted that the controller focused their efforts on getting their systems working again, but noted that the risks posed to data subjects were not properly assessed and addressed at the time of the breach. In assessing the amount of the fine to impose, the DPA was influenced by the sensitivity of the personal data in question, the extent of the controller’s negligence, and the need for a dissuasive