Risk Update

Information Security Risk — Firm Faces Regulatory Fine for Security Gaps (It Pays to Patch Promptly)

Firm fined almost £100,000 over ransomware attack” —

  • “Criminal defence firm Tuckers Solicitors has been fined £98,000 after failing to secure sensitive court bundles that were later published on the dark web and held to ransom by organised criminals. The information commissioner found that a ransomware attack on the national firm resulted in the encryption of 972,191 files, of which 24,712 related to court bundles. Of the encrypted bundles, 60 were taken by the attackers and then posted in underground data marketplaces.”
  • “The decision notice said: ‘The commissioner considers that Tuckers’ failure to implement appropriate technical and organisation measures over some or all of the relevant period rendered it vulnerable to the attack.’”
  • “The ICO made clear that while primary culpability for the incident rested with the attacker, the firm had given them a ‘weakness to exploit’ and was responsible for the protection of personal data. The firm had not used multi-factor authentication for remote access to its systems, despite this being recommended since 2018.”
  • “The ICO said this extra protection was a ‘comparably low-cost preventative measure which Tuckers should have implemented’, which would have substantially increased the difficulty of an attacker entering its network. Entry could have been gained through the exploitation of a single username and password, and the Tuckers system was exposed to cyber-attacks because of the lack of multi-factor authentication.”
  • “The ICO said infringements to data protection rules showed that the firm’s approach to data protection compliance ‘was not of an appropriate standard’.”

See the ICO’s “MONETARY PENALTY NOTICE” —

  • “In particular, the privacy watchdog noted the lack of multi-factor authentication (MFA) for remote access to the Tuckers systems, the slow pace at which software vulnerabilities were patched and a failure to encrypt personal data.”

That PDF redacts all the good bits. But it didn’t take much sleuthing to arrive at the likely conclusion that the underlying unpatched software was the firm’s Citrix system.

It took ~six months from when the security patch was issued to when the firm applied it… A powerful reminder for the IT and information security folks out there. The ICO offers a convenient security guide on ransomware and data protection compliance.

More generally, see: “Zero Trust Architecture: An Imperative for Law Firms” —

  • “Sadly, law firms are a ‘one-stop shop’ for cybercriminals. Break into a company and you will primarily get that company’s data. Break into a law firm and you’ll get the data of many clients. As an example, imagine breaking into a merger and acquisitions firm (among many other desirable law firm targets). Data is the new oil, right? You could hold the data for ransom, make a killing on Wall Street or use the data to infiltrate the law firm’s clients. The nightmare scenarios are endless, as many law firms have discovered to their chagrin.”
  • “Zero Trust Architecture (ZTA) has been coming at us for a while and it is now officially here, championed by the U.S. government, leading technology firms and cybersecurity experts.”
  • “The National Security Agency has stated, ‘The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust embeds comprehensive security monitoring; granular risk-based access controls’ and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, allowing or denying access to resources based on the combination of several contextual factors.'”
  • “Assuming a breach means all access should be denied by default. Harsh, but necessary. It also means that we need to have a way to continuously monitor access to all resources, monitor any configuration changes and certainly monitor all network traffic for suspicious activity.”
  • “What Will Zero Trust Implementation Cost? The short answer is that most law firms don’t know — yet. We expect that, by now, the reader understands the complexities of Zero Trust. Implementing it will not be cheap — or easy. Selling it to law firm management may be difficult. Management is not likely to find this wholesale change in security appealing, both because of the monies and time expended, but also because you cannot ‘set it and forget it’ when it comes to Zero Trust.”