Failure to patch and introduce MFA led to £98k ICO fine for Tuckers Solicitors
Tuckers patched five months after an NCSC alert flagged exploitation of a critical vulnerability, understood to be in Citrix. While it was not conclusive that the vulnerability was how the attacker was able to access Tuckers’ network, its delay in patching was cited as contravening data protection regulation. It also failed to introduce multi-factor authentication, with the exploitation of a username and password described as “one of two possible entry methods into Tuckers network.”
UK criminal defence law firm Tuckers Solicitors was last week (10 March) fined £98,000 after a ransomware attack saw 60 court bundles, including medical statements and witness statements, published on the dark web in 2020. In its ruling, the Information Commissioners Office found that Tuckers contravened the General Data Protection Regulation 2016, by not introducing multi-factor authentication for remote access, particularly given that the national law firm holds highly sensitive and private data. It also delayed patching a critical vulnerability, which the NCSC warned in January was being exploited by malicious actors. While the name of the specific vulnerability is redacted in the ICO’s statement, it is already in the public domain that the vulnerability flagged by the NCSC in January 2020 was in Citrix.
With regard to MFA, the ICO said: “Had MFA been used, it could have substantially supported Tuckers in preventing access to its network.”
It added: “The Commissioner is cognisant of the fact that Tuckers is unable to confirm exactly how the attacker entered its network – however, the exploitation of a single username and password is a common exploitation method and is likely to be one of two possible entry methods into the Tuckers network. The lack of MFA accordingly created a substantial risk of personal data on Tuckers’ systems being exposed to consequences such as this attack.”
And the ICO concluded: “Taking into consideration the highly sensitive nature of the personal data that Tuckers was processing, as well as the state of the art of MFA, and the costs of implementation, Tuckers should not have allowed access to its network using only a single username and password. In doing so, it did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by Article 5(l)(f) GDPR.”
In terms of patch management, The NCSC announced in January 2020 that it was investigating multiple exploitations of a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Citrix Gateway that allows an unauthenticated attacker to perform arbitrary code execution on a network. The vulnerability was widely reported online in early January 2020. Attackers appeared to be deploying various payloads once exploitation had taken place.
Citrix provided a patch on 19 January, but Tuckers only installed it in June 2022, five months after it was released. This was despite the fact that the NCSC warned in its alert in January that it was important to instal latest updates as soon as possible. The NCSC also published further advisory statements on the vulnerability.
The ICO says in its report: “The Commissioner has considered relevant industry standards of best practice, including the ISO27002 suggestion that organisations should define a timeline to react to notifications of potentially relevant technical vulnerabilities, and once a vulnerability has been identified, associated risks should be identified and actions taken, such as patching the system to remove the vulnerability.”
It adds: “The Commissioner understands the CVE scored a CVSS5 of 9.8: A score of 9.8 is rated as “critical”. The ‘NCSC Cyber Essentials’ requires patches that are rated as ‘high’ or ‘critical’ should be applied within 14 days of the release of the patch. As stated, the patch was released in January 2020 and installed some five months later.”
The ICO concluded: “Taking into consideration the highly sensitive nature of the personal data that Tuckers were processing, as well as the state of the security updates, and the costs of implementation for them, Tuckers should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk. In doing so, it did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by Article S(l)(f) GDPR.”
Tuckers argued that it was unlikely that an attacker would have exploited the vulnerability to gain access to the network before June but then not executed the attack until August 2020. However, the ICO was not persuaded, commenting: “This is a common attacker tactic used by advanced persistent threat groups. Accordingly, the Commissioner is not persuaded that the passage of time from June 2020 (when the patch was implemented) and August 2020 (when the attacker exfiltrated data) casts significant doubt on the likelihood of this patching delay having given the attacker the opportunity they exploited. In any event, even if the attack did not exploit this delay, the delay was nonetheless a significant deficiency in Tuckers’ technical measures that created the risk of serious incidents such as this.”
Lack of MFA and patching were not the only failures cited by the ICO, which found that personal data stored on Tuckers’ archive server that was subject to the attack had not been encrypted. It said: “The Commissioner accepts that encryption of the personal data may not have prevented the ransomware attack. However, it would have mitigated some of the risks this attack posed to the affected data subjects.”
The ICO’s Security Outcomes guidance suggests implementing technical controls such as encryption to prevent unauthorised or unlawful processing of personal data. The SRA also published guidance in 2017 which highlights encryption as a cost-effective step in keeping information safe. The ICO ruling on Tuckers said: “…Tuckers should not have been storing the archive bundles in unencrypted, plain text format. In doing so, it did not ensure appropriate security, including protection against unauthorised and unlawful processing of its personal data, as required by Article S(l)(f) GDPR. 68. For the same reasons, Tuckers also failed to meet the requirements of Article 32(l)(a), which expressly cites the encryption of personal data as an appropriate security measure.”
The criminal law firm failed a Cyber Essentials assessment in October 2019: the ICO observed that it should not only have met but surpassed the requirements, commenting: “Given the personal data that Tuckers was processing, including special category data of very vulnerable individuals, the Commissioner believes that it is reasonable to expect that the security within Tuckers should have not only have met, but surpassed the basic requirements of Cyber Essentials. The fact that some 10 months after failing Cyber Essentials it had still not resolved this issue is, in the Commissioner’s view, sufficient to constitute a negligent approach to data security obligations.”
Further “negligent practices” included:
- processing personal data on an operating system which ended mainstream support in 2015 and extended support in January 2020, meaning that it no longer received security updates. While the name is redacted in the report, it is common knowledge that Windows 7 ended mainstream support in 2015 and extended support in January 2020.
- Storing court bundles after the seven-year retention period, some of which were exfiltrated through this attack. “A failure to adhere to or to justify departures from its retention practices creates concerns about compliance with Article S(l)(e) GDPR, which requires personal data to be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed,” the ICO found.
In deciding on the level of fine, mitigating factors included that Tuckers have engaged with third party experts to increase the security of its systems; updated its infrastructure and implemented MFA. It has also instructed an outside vendor to take care of updating and patching its core infrastructure and software. It has engaged with Cyber Griffin and agreed to Cyber Griffin doing an audit of its security procedures prior to applying for Cyber Essentials and then Cyber Essentials Plus. The firm has automated the deletion of person data in its case management system on the expiry of the retention period and for personal data outside of the CMS, is using an external consultant to identify tools that will support the classification, and automated deletion of personal data.
In a statement, Tuckers said: “Tuckers Solicitors takes data privacy and trust very seriously. We are disappointed in this initial finding from the ICO, relative to an international criminal organisation’s attack on our system and theft of data which was already publicly available.
“We have cooperated in full with the ICO and City of London Police in their investigation. The commissioner makes clear that he accepts that primary culpability for this incident rests with the attacker.
“But for the attacker’s criminal actions, regardless of the state of the security, the breach would not have occurred. Following the attack we have successfully implemented a broad range of measures to prevent the recurrence of such criminal incidents and the ICO acknowledges the strengthened procedures which are now in place as we operate from a state of the art system.”