ICO issues £98,000 penalty following ransomware attack

On March 10, 2022 the Information Commissioner’s Office (ICO) imposed a £98,000 penalty on a leading UK law firm for breaching the UK General Data Protection Regulation (GDPR).

This decision has a number of useful takeaways for studios and production companies which operate in the UK.

What happened?

In August 2020 the law firm learned that its IT systems had been the subject of a ransomware attack, which had resulted in a personal data breach.

The attacker infiltrated the law firm’s network and encrypted 972,191 individual files, 60 of which were later released onto underground data marketplaces. The encrypted files included both personal data and special category data, including:

• Basic identifiers
• Health data
• Economic and financial data
• Criminal convictions
• Data revealing racial or ethnic origin

The law firm commissioned a third party to investigate the incident, but it was unable to determine conclusively how the attacker had been able to access the network. However, it did find evidence of a known system vulnerability that could have been used to either access the network or further exploit the law firm once inside the network.

The Decision

The ICO found that the law firm had breached Article 5(1)(f) of the UK GDPR (“Integrity and Confidentiality”). Under Article 5(1)(f), personal data must be: "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."

The ICO acknowledged that the attacker was primarily responsible for the data breach. However, the law firm had contravened the UK GDPR by, among other things, having a vulnerable network which could be exploited.

In particular, the ICO stated that the law firm had failed to:

• Implement multi-factor authentication (MFA) for its remote access solution (despite two-factor authentication being required under its GDPR and Data Protection Policy).
• Encrypt its data when it was at rest (ie, when stored), despite ICO guidance from 2018 recommending this.
• Apply a high-risk security patch until four months after it was released.
• Delete stored court bundles after the seven-year retention period, some of which were exfiltrated through this attack. 

The Penalty

Based on the nature, gravity and duration of the infringement – including the number of data subjects affected and the level of damage they suffered – the ICO imposed a penalty of £98,000 on the law firm.

Key takeaways for productions

This decision has a number of key takeaways for studios and production companies operating in the UK.

Protect your data with MFA

The National Cyber Security Centre recommends the use of MFA to mitigate against password guessing and theft, including brute force attacks. According to the ICO, had MFA been used in this case, the likelihood of the attack would have been substantially reduced.  

Encrypt your data

Should an attacker obtain access to your data, effective encryption can prevent them from reading it, helping you to maintain the principle of data confidentiality under the UK GDPR.  

Delete data once you no longer need it

Article 5(1)(e) of the UK GDPR requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Keep information security at the forefront of your mind

This decision follows a number of recent ICO penalty decisions, including its decisions to fine the Home Office £500,000 and a charity £10,000 for breaches of the UK GDPR. Coupled with the recent announcement that the ICO is now able to keep up to £7.5 million of funds paid as a result of its civil monetary penalties – which it will use to “hold those who don't comply to account” – it’s clear that the ICO is continuing to crack down on organisations which breach the UK GDPR. As such, it’s essential to have sufficient safeguards in place to protect your crew data, and to maintain a record of those safeguards in case of a dispute.

For more information on how the Production Portal helps you to secure your production data, see our guide to information security.