Access controls and breach notification: UK regulator fines law firm for data breach

On 16 April 2025, the UK Information Commissioner’s Office (ICO) issued a Monetary Penalty Notice (MPN) against a law firm for alleged violations of the UK General Data Protection Regulation (UK GDPR).  

Here’s a look at what went wrong for this organization and how a failure to apply the principle of “least privilege” led to a fine. 

What happened?  

DPP Law Ltd (DPP) is a law firm specializing in areas like criminal defense, family law, and actions against the police.  

The ICO states that DPP processes “highly sensitive personal data, including special category data (e.g. data concerning a natural person’s sex life), DNA data, legally privileged information and allegations of criminal offences (including child sexual abuse).” 

The ‘sqluser’ account  

In 2011, DPP became aware that a third-party IT provider had—a decade earlier—created an administrator account, named sqluser, with very broad access privileges across DPP’s case management systems.  

In 2019, DPP migrated to a new case management system. Two years later, it lost third-party support for the sqluser account or the legacy system. However, the sqluser account remained active with the same access privileges.  

From February 2022, the ICO found evidence that “brute force” attacks were being conducted against the sqluser account. On 3 June 2022, the attacker succeeded in compromising the sqluser account and gained access to DPP’s legacy systems.  

The next day, on 4 June 2022, the attacker leveraged the sqluser account to deactivate DPP’s security defences and backup processes. DPP lost access to its IT network, including staff email accounts. At this point, DPP allegedly became aware of the cyber incident.  

The disruption continued in early to mid-June 2022 for around a week, but DPP’s firewall recorded that no data had been exfiltrated from its systems.  

However, DPP’s firewall was unable to log “egress flows”—the transition of data beyond a network’s boundary. Therefore, the firewall did not detect the full extent of the attack. 

The National Crime Agency report  

In July, DPP received a report from the UK’s National Crime Agency (NCA), notifying the company that 32.4 GB of its data had been published on the dark web.  

The data included:  

• Court bundles 
• PDFs 
• Word documents 
• Photos 
• Videos (including police body cam footage) 

The data was highly sensitive, relating to 791 individuals consisting of DPP’s clients (often victims of serious crime) and expert witnesses.  

Two days after being contacted by the NCA, DPP reported the incident to the ICO. 

The ICO’s findings  

We can divide the ICO’s findings into two categories:  

• Security: Violations of Articles 5(1)(f), 32(1), and 32(2) of the UK GDPR 
• Notification: Violation of Article 33(1) of the UK GDPR 

Security violations  

In terms of DPP’s alleged failure to secure its legacy systems, the ICO found that:  

• DPP failed to implement appropriate technical and organizational measures to ensure the security of the highly sensitive personal data it processed. 
• The sqluser account had excessive (full administrator) privileges across DPP’s network, despite only needing limited access. 
• DPP failed to apply “the principle of least privilege” to the sqluser account 
• DPP did not conduct adequate risk assessments on the sqluser account (despite being aware of it), and failed to properly audit its systems regularly 
• DPP did not have multi-factor authentication (MFA) enabled for it the sqluser account. 

These alleged violations resulted in a vulnerability that allowed the attacker to gain full network access, exfiltrate the data, and deploy ransomware on DPP’s systems. 

Notification violation  

The ICO also alleges that DPP failed to provide breach notification within the UK GDPR’s mandatory reporting period. Where a data breach meets the threshold for a report to the ICO, the controller must report it without undue delay and within 72 hours of becoming aware of the breach.  

• The cyber-attack on 4 June 2022 resulted in a loss of access to systems, which the ICO calls a “loss of availability” breach. According to the ICO, this is the date on which DPP became aware of the breach 
• DPP failed to notify the ICO until 43 days later, after being informed by the National Crime Agency (NCA) that the exfiltrated data had been published on the dark web. 
• DPP said its focus was on restoring systems and that it misunderstood its obligation to report the initial loss of availability as a breach. 

The fine and the bigger picture  

As a result of its findings, the ICO issued DPP a £60,000 fine.  

UK GDPR fines are relatively rare, but this MPN was issued by the ICO’s new Interim Head of Enforcement, who is well known in data protection circles for his robust pursuit of violations under the Privacy and Electronic Communications Regulations 2003 (PECR).  

The fact that this fine was issued against a relatively small firm should raise general awareness of the core issue: Neglecting to regularly review account access privileges, and failing to take swift action upon discovering that those privileges have been abused.  

The nature of the breach—which initially manifested as a “loss of availability” to personal data—might also prompt organizations to consider reviewing their incident response policies.