Sensitive police evidence and client data exposed after DPP Law suffers major ransomware breach
A Merseyside law firm that specialises in criminal defence and actions against police has been fined £60,000 after sensitive client data was stolen and leaked onto the dark web.
DPP Law Ltd was hit by a cyber attack in 2022, during which hackers accessed over 32GB of data from its network. The firm only learned the full extent of the breach when the National Crime Agency contacted them to say stolen files—including court bundles, police bodycam footage, photos, and expert reports—had been posted online.
Despite the severity of the breach, the firm waited 43 days before reporting the incident to the Information Commissioner’s Office (ICO)—well beyond the legal limit of 72 hours. The ICO concluded DPP failed in its duty to protect personal information and failed to recognise the loss of access to that information as a data breach.
Embed from Getty ImagesDPP Law has stated it “disagrees” with the ICO’s decision and intends to appeal the fine.
Andy Curry, the ICO’s director of enforcement, made clear the regulator’s stance. “Data protection is not optional,” he said. “Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access. This fine serves as a warning to any organisation that doesn’t take its responsibilities seriously.”
The breach occurred after DPP’s email server failed and its entire IT network became inaccessible. An external IT provider advised that it was a ransomware incident, even though no ransom demand was ever made. A compromised staff laptop was identified as the point of initial access.
DPP initially concluded no data had been extracted after reviewing firewall and server logs. But the NCA later revealed that three folders had been posted on the dark web, exposing materials involving clients and expert witnesses.
The attack traced back to a rarely used administrator account linked to an old case management system. Though it complied with Solicitors Regulation Authority guidance, the account had full administrator rights and no risk assessment had been conducted on it. Hackers accessed it via a remote desktop machine and navigated through the firm’s network undetected.
The fallout has already led to five potential professional negligence claims, including from three individuals whose personal information was stolen and who reported experiencing distress, shock, and anxiety.
The ICO found that DPP relied too heavily on third-party IT contractors and failed to maintain adequate internal IT systems. Although the firm has since overhauled its infrastructure—migrating its case management, accounts, and email systems to a new host—the ICO said such action does not count as a mitigating factor because it should have been done proactively.
In a statement, DPP stressed its continued commitment to cybersecurity, citing its certifications: “DPP Law holds the Law Society quality standard, Lexcel, and is Cyber Essentials certified. These independent certifications are intended to assure clients and stakeholders of our adherence to best practices.”
Still, Curry warned that certifications are no substitute for robust, up-to-date cybersecurity policies and awareness. “Organisations must continually assess their cybersecurity frameworks and act responsibly to prevent breaches like this,” he said.
