First Ransomware Fine Given by the ICO
Key Contact: Declan Goodwin
Author: Rachel McCulloch
In March 2022, a firm of solicitors was fined £98,000 by the ICO for breaches of its security following a ransomware attack, the first ever fine related to ransomware by the ICO. Part of the solicitor firm’s IT system had become unavailable, and a ransomware note was found. The ICO was notified that over 24,000 legal case bundles stored on an archive server had been encrypted by the attacker, including the backups. Sixty of the case bundles, containing personal and special categories of data, were published on the dark web.
The Information Commissioner found that it was the firm’s failure to implement appropriate security measures which made it vulnerable to the attack, and their approach to data protection compliance was not of an appropriate standard. This led to the ICO’s decision to issue the fine.
What is ransomware?
Ransomware is a type of malicious software that holds a victim’s information at ransom. The software is designed to encrypt data so the victim cannot access files or applications, and then the attacker will demand a ransom payment for access to be returned. The attacker may also threaten to publish the victim’s data online if the ransom is not paid.
What is the ICO’s guidance on ransomware?
The ICO have found personal data breaches caused by ransomware have been on the increase in respect of both the number of breaches, and the severity of the breaches. The ICO has recently published the new guidance “ransomware and data protection compliance”, which outlines eight scenarios with the most common ransomware compliance issues they have seen. You can read more on the ICO’s ‘ransomware and data protection compliance’ guidance here.
On the issue of paying a ransom demand, the ICO supports the position of law enforcement in that they do not encourage, endorse nor condone it. It should be noted that the ICO do not consider the payment of the ransom as an effective measure to mitigate the effects of a breach.
What can you do to avoid a data breach incident as a result of ransomware?
There are many things you and your business can do to avoid being the victim of a ransomware attack which leads to a data breach. Some key considerations are:
- Company policies: It is important to establish company policies, such as a data protection policy which sets out how personal data is to be protected, and a data breach policy which sets out what to do in the case of a breach. All staff should be aware of these policies and know exactly what to do if an incident occurs.
- Training: Phishing is a common method used to deliver ransomware by email or used to trick people into entering their username and password so the attackers can gain access. It is important your staff are trained to recognise potential phishing emails. It’s also important your staff are trained in relation to your company policies and procedures.
- Multi-factor authentication: Multi-factor verification requires users to use two or more verification factors to gain access to an account, particularly important when using remote access. This can increase security and decrease the risk of a cyber-attack.
- Backups: Having a backup of the personal data you hold is an important factor which can mitigate the risk of ransomware. However, attackers will also seek to delete or encrypt the backup, so it is also important to look at securing this, for example, by storing it offline.
- Updating software: Having antivirus and anti-malware software is essential to protect your systems against potential attacks, but it is just as essential to ensure this software is kept updated and that they undertake regular scans to detect any risks.
If you are in any doubt, we would suggest seeking legal advice.
For further information and assistance, please contact our Commercial and Technology Team.