UK criminal law firm reports data breach to ICO after chatbot leaks client details 


London-headquartered criminal law firm Tinnudohw Law LLP has been forced to report itself to the Information Commissioner’s Office after its chatbot, internally known as Phil, posted client details on the dark web.  

The chatbot, which the firm uses to triage incoming messages from clients and prospective clients, has over the past few months posted numerous addresses and personal emails on the web, with the firm reporting that Phil has also become abusive to clients. 

Managing partner Tobin Mudd told Legal IT Insider: “We began having serious concerns about Phil when he responded to incoming queries with sexist jokes, which does not fit with our values at the firm. However, we take security at the firm extremely seriously and could not have predicted that he was leaking confidential client information.” 

The ICO will undoubtedly consider the fact that Tinnudohw recently failed a Cyber Essentials assessment, and that in 2020 the firm exposed the email addresses of 300 clients with criminal records by posting their details in the ‘to’ section of an email offering a ‘limited time only’ post-jail free legal advice session.  

Commenting on the news, Boris Stone from leading cybersecurity firm CyberBorg, told Legal IT Insider: “Chatbots may save time, but they are not without risk and law firms need to look out for the tell-tale signs. A chatbot that was being abusive to clients should have been an immediate reg flag that something more was going on behind the scenes.” 

1 thought on “UK criminal law firm reports data breach to ICO after chatbot leaks client details ”

  1. I suspect this is about ‘date’ rather than ‘data’ – although Phil does remind me of a service desk guy we once had…..

Comments are closed.