DPP Law Ltd.

€70,300

Insufficient technical and organisational measures to ensure information security

Datum för beslut

14 april 2025

Myndighet

Information Commissioner (ICO)

GB

Sektor

Finance, Insurance and Consulting

Land

GB

Lag

GDPR

Status

FINAL

Beskrivning

The UK DPA (ICO) has imposed a fine of £ 60,000 (EUR 70,300) on the law firm DPP Law Ltd. The controller had suffered a cyber attack during which personal data of 791 clients and expert witnesses were exfiltrated and published on the dark web. The DPA found that the controller failed to implement adequate technical and organisational measures to prevent such an attack, including the failure to regularly audit administrative accounts on its network, thereby infringing Art. 5 (1) f), 32 (1), and 32 (2) UK GDPR. The controller also breached Art. 33 (1) UK GDPR by failing to notify the DPA within 72 hours, reporting the incident only 43 days later.

Rättsliga hänvisningar

Art. 5 (1)Art. 32 (1)Art. 33 (1)

Frågor och överträdelser

Insufficient technical and organisational measures to ensure information security
Visa officiellt dokument
Tillbaka till databasen för böter

Håll dig uppdaterad om efterlevnaden av sekretessreglerna

Vi respekterar din integritet. Ett e-postmeddelande per månad, ingen skräppost, avsluta prenumerationen när som helst.