A UK law firm has been slapped with a £60,000 fine after a serious cyber attack led to the exposure of highly sensitive client information on the dark web. The Information Commissioner’s Office (ICO) found that DPP Law Ltd, with offices in Bootle and Liverpool, failed to implement basic cybersecurity measures, effectively allowing hackers to infiltrate the firm's systems. The June 2022 breach gave cybercriminals access to over 32GB of confidential data, including legally privileged material tied to criminal, military, and family law cases.

The ICO criticized DPP for waiting 43 days to report the incident and failing to initially recognize it as a personal data breach. Investigators discovered that the attack stemmed from a brute-force login attempt on an old administrator account tied to a legacy system, from which hackers moved laterally across DPP’s network. While DPP insists it cooperated fully and plans to appeal the decision, the ICO’s message was clear: cybersecurity negligence, especially in firms handling sensitive data, won’t be tolerated. As ICO enforcement director Andy Curry warned, "Data protection is not optional—it’s a legal obligation." Read more about this story on our LinkedIn page