Tuckers Solicitors has been hit with a £98,000 fine by the Information Commissioner’s Office due to ‘cyber-security negligence’. The legal firm is well renowned and has multiple offices including Greater Manchester, West Midlands, Staffordshire and Greater London. This fine is an important reminder that cyber security needs to be taken seriously by all organisations, especially establishments from industries such as law that are predominantly targeted by attackers.
Threat actors often target law firms due to the high quantities of sensitive data that is collected and stored. As far back as 2017, the SRA have warned firms about cyber criminals and stated that “solicitors are obliged under the Code of Conduct to maintain effective systems and controls to mitigate risks to client confidentiality”. Still, like with this instance, some do not prioritise their cyber security health with appropriate practices and procedures.
Tuckers Solicitors confirmed on the 24th August 2020 that they had been hit by a ransomware attack, leading to the encryption of 972,191 individual files. 24,711 had been related to court bundles, 60 of the bundles were exfiltrated by the attacker and published on the dark web. The information included a ‘comprehensive set of personal data’, including names, addresses, medical files, witness statements and alleged crime details. In each bundle there were multiple people’s personal information released, including a child’s identity and their personal family circumstances.
Right now, you may be questioning why Tuckers Solicitors have also been held responsible for this attack and why they are having to pay the price when an external threat actor was the one that attacked them. Well, the ICO determined that the firm had failed in many instances for example they were incompliant with GDPR, technical and organisational measures were inadequate and the risk to personal data was increased by giving the attacker an easy entry point onto their network through a well-documented vulnerability.
What we can learn from Tuckers’ errors:
Tuckers Solicitors and an external cyber security team, hired after the attack, could not conclusively determine how the attacker was able to access the network. However, there was a critical vulnerability left unpatched for a drastic amount of time, which led to a “significant indication” that this was exploited by the threat actor.
The vulnerability in question, was given a CVSS score in the ‘critical’ range and many (the vendor, NCSC, CISA) publicly warned organisations about ransomware attacks occurring and the flaw. The NCSC also strongly advised organisations to carry out searches across their networks to identify whether exploitation had already taken place.
Unfortunately, the organisation did not patch the vulnerability until June 2020, even though there had been a patch available since 19th January 2020.
Best Practices: Patch management is one aspect of vulnerability management (VM); the latter is an integral part to improving your firm’s cyber security health. Vulnerability management is the process of assessing, prioritising and managing software and configuration vulnerabilities. Once a patch is available for a known vulnerability, it’s best to patch as soon as possible. This can add a lot of pressure on resources with 71% of IT and security professionals finding patching to be overly complex and time-consuming. This amplifies why the ‘prioritise’ stage to VM is important. Every vulnerability identified is given a CVSS score which highlights the level of danger the flaw could impose from Low to Critical. Best practice is to patch all high and critical vulnerabilities within 14 days of a patch becoming available.
vSOC Recon is one of our services that can help IT teams with the challenges of vulnerability management. The service is integrated into our powerful platform, vSOC Connect Console, that helps organisations identify, manage and prioritise vulnerabilities and misconfigurations that would
otherwise leave them exposed.
Cyber Essentials Certifications
In October 2019, the firm was assessed for Cyber Essentials but failed to meet important aspects of the standards requirements. Tuckers were also accredited with the Law Society’s Lexcel Legal Practice Quality Mark which in 2018 stated that firms should have Cyber Essentials.
Best Practices: Cyber Essentials is the government backed scheme that outlines the technical controls an organisation must have to ensure an effective level of security. Due to the nature of the legal sector, Cyber Essentials is often a good starting point to ensure that all basic security procedures are in place. Many organisations opt for Cyber Essentials Plus which involves a certification body, like Data Connect, to carry out an audit to verify they are meeting the standards.
In our experience, vulnerability management is often the area that organisations struggle with to achieve Cyber Essentials. If you would like to find out more about the Cyber Essentials standard, we’ve written multiple blogs regarding the certification or find out more about our vSOC CERT service. The service is integrated into our console, it empowers businesses to keep on top of Cyber Essentials and allows staff to manage remediation actions to stay compliant.
The law firm were using remote desktops, the focal point of the attack, but lacked Multi-Factor Authentication (MFA). This type of protocol has been recommended for remote access by the NCSC since 2018 and the SRA that year had also published guidance on this matter.
Both GDPR and the Data Protection Policy require MFA to be in place.
Best Practices: Like the names suggests, MFA relies on a user completing multiple steps to verify their identity. Without MFA, threat actors can crack the passwords or use a stolen password from their own phishing campaigns or a leaked dataset. If the application is connected to the cloud or internet, it is important to have MFA set for all users and not just administrators. Questions around how often multi-factor authentication should take place is based around the risk that an application carries if it is breached. A few situations for MFA are when personnel are performing high risk tasks, using a new device, connecting while oversees or in some cases, every time they use a high risk application.
Our CSA (Cyber Security Assessment) goes beyond Cyber Essentials to look at a wider set
of controls including a review of remote access implementations. The assessment is bespoke to your organisation and includes a strategic roadmap designed to highlight ongoing security improvements.
Storage and Encryption
While the ICO accepted that encryption of the personal data may not have prevented the attack, they did believe that it could have mitigated some of the risks posed to the clients and witnesses affected. One statistic that show the importance of this area is that 83% of ransomware attacks involved the threat to leak exfiltrated data.
The firm were also found to be storing data longer than the 7 year retention period which added additional risk to the data being breached. Also, some of the files exfiltrated in the attack were older than 7 years.
Best Practices: Firstly, it’s critical to fully understand what data is being stored, where it resides and who has access. You can’t protect what you don’t know about. Access permissions should be regularly reviewed to ensure only the correct individuals have access and that they have the proper level of access. Data should be stored in an encrypted form (according to regulatory requirements) to prevent any sensitive content from being accessible even in the event of a data breach.
Data retention and destruction policies should also be put in place to reduce the aggregation of data. Any archived data which is retained should be given the same levels of protection as current data.
If you are unsure what cyber security measures your law firm has in place, it is time to start asking these questions. Tuckers Solicitors is a cautionary tale of the implications that can arise if cyber security is not taken seriously. If you have any queries or would like to stay in touch, please click here.