News and information from the world of
regulatory compliance and risk management

ICO publicly reprimands small firm targeted by phishing attack
16 August 2023

A small two-partner firm in County Durham has been reprimanded over a cyber attack on its system where fraudsters accessed funds on a probate matter.

The Information Commissioner’s Office ruled that Swinburne, Snowball & Jackson (SSJ), a firm of six lawyers, had failed to meet its requirements to process data securely and to ensure its systems were secure. The firm swiftly reported the attack and repaid the money to clients.

The incident happened in January 2021, a period of national lockdown, when cyber criminals got into an employee’s Outlook email account through a so-called ‘spear phishing’ attack and interfered with payments to beneficiaries of a probate matter. Spear phishing is a type of cyber attack that targets specific individuals or organisations through malicious emails personalised to the intended victim. In total, four fraudulent payments involving an undisclosed sum of money were identified, resulting in a 21-day delay in payments of the legacies to the beneficiaries. 

The ICO said the firm did not have a suitable contract in place with its IT provider that defined security responsibilities or the level of security required. As a result, it could not show if or how preventative measures were implemented with regards to its email accounts.

SSJ did not have multi-factor authentication for the affected email account despite guidance from the National Cyber Security Centre and the SRA to have this in place. The firm had also started but not completed accreditation for a cyber security scheme run by the NCSC.

Since the incident, the firm commissioned a third party cyber security firm to investigate and report on what happened and worked with IT consultants on remedial measures. All clients affected were repaid in full within three weeks. SSJ reported the matter to its insurers and to the SRA within a day, and to the ICO within two weeks.

The firm had been unaware of its requirement to report such an attack to the ICO within 72 hours. The regulator advised that staff should be appropriately trained in reporting requirements, especially those responsible for overseeing data protection obligations. The firm was also advised to enable strong authentication for staff remotely accessing emails.

In a statement, SSJ said: ‘The firm was Lexcel accredited, with all appropriate data protection, information management and security policies, but fell victim to a sophisticated phishing attack by fraudsters compromising our email system.

‘Immediately upon learning of the attack, we acted swiftly mitigating the damage, commissioning an independent Cyber Security Report and implementing all recommendations. We cooperated fully with the ICO and the SRA.’

Source: The Law Society Gazette, 15th August 2023

read more articles