The Information Commissioner’s Office published a report today (10 May) examining the lessons learned from an array of past data breaches, including looking at the facts of a breach at UK law firm Tuckers in 2020.
While the ‘Learning from the mistakes of others – A retrospective review’ report doesn’t mention Tuckers by name, the criminal law firm was subject to a ransomware attack in which the attacker encrypted 972,191 individual files and 24,711 court bundles. The attacker then exfiltrated 60 of the bundles and published them on the dark web. In 2022 Tuckers was fined £98,000, and it was found that the London-headquartered firm should have implemented multi-factor authentication and been quicker to patch a known Citrix vulnerability.
While during the investigation Tuckers wasn’t able to confirm how the attacker entered its network, the ICO found that the exploitation of a single username and password was likely to be one of two possible entry methods, and that the lack of MFA created a substantial risk of personal data on Tuckers’ system being exposed.
With regard to the Citrix vulnerability, Citrix provided a patch on 19 January, but Tuckers only installed it in June 2022, five months after it was released. This was despite the fact that the NCSC warned in its alert in January that it was important to instal latest updates as soon as possible.
In the report out today, within the ‘Malware and ransomware’ section, the ICO reiterates that what could have been done differently is:
- Use multi-factor authentication (MFA) for the remote access solution.
- Implement more timely patch management.
- Use encryption for the archived documents.
You can read the report in full here: https://ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/learning-from-the-mistakes-of-others-a-retrospective-review/malware-and-ransomware/
At the time of the ICO fine, Tuckers said that it takes data privacy and trust seriously, observing: “We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available.” They added: “Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system.”
In the report out today, the ICO provides the following links as helpful further reading:
https://www.ncsc.gov.uk/collection/10-steps
https://www.ncsc.gov.uk/collection/10-steps
https://ico.org.uk/media/about-the-ico/documents/4020874/ico-ncsc-joint-letter-ransomware-202207.pdf
https://www.ncsc.gov.uk/files/White-paper-Ransomware-extortion-and-the-cyber-crime-ecosystem.pdf
https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services
https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services
https://www.ncsc.gov.uk/guidance/multi-factor-authentication-online-services
You might also be interested to read:
Failure to patch and introduce MFA led to £98k ICO fine for Tuckers Solicitors