Menu Close

Learning from the ICO’s recent fine following a cyberattack on a law firm

ICO fines Tuckers Solicitors after a hacker published legal documents on the dark web

What happened

  • After a cyberattack saw almost a million legal documents stolen and dumped onto the dark web, the UK government’s data regulator fined London-based law company Tuckers Solicitors £98,000 for failing to adequately look after its clients’ data.

  • The cyber attack resulted in 972,191 files being stolen from the firm, including 60 court bundles that were later published on the darknet, the UK government’s Information Commissioner’s Office (ICO) said the criminal solicitors firm – which has offices across the country in major cities including London, Manchester, and Birmingham – failed to put in place proper cybersecurity measures.

  • Tuckers was fined £98,000 by the Information Commissioner’s Office (ICO) after the ICO found the company had infringed GDPR requirements by failing to implement adequate cybersecurity measures and failed to protect its customers’ data.

Why it matters

  • The files were released after a hacker placed several tools on Tucker’s machine that allowed them to create their own account, according to the ICO. After that, the attacker exploited the account to steal 60 court bundles and publish them on the darknet.

  • The hacker took advantage of the company’s move to remote working by infiltrating an app that allowed employees to access their work laptops from home, according to the ICO.

  • Tuckers, on the other hand, failed to implement very inexpensive and easy cybersecurity safeguards, such as multi factor authentication (MFA), that may have stopped the hack, according to the watchdog.

New guidance issued in Norway on cloud computing

What happened

  • The utilisation of cloud has been one of the technologies that has raised concerns for several years. This is owing, among other things, to the fact that cloud services have become widely adopted by the market and that cloud is the primary IT service delivery paradigm in many areas of business.

  • This new guidance issued by the Norwegian data protection authority is intended particularly for organisations that want to begin utilising one or more cloud services, and it seeks to address the relevant aspects of data protection law that data controllers should consider while using cloud services.

  • Many of the difficulties raised in this guidance, however, are applicable to most other IT service delivery models.

Why it matters

  • Cloud computing does not raise any new difficulties in terms of data protection law as compared to traditional IT service delivery models.

  • However, there are some aspects of data protection regulation that data controllers should be aware of while using cloud services.

  • These include (i) the use of processors and sub-processors, (ii) processing security and (iii) personal data transfers to third countries.

  • This guidance is not intended to add anything to the definition of cloud services, and it does not address the commercial motivations to adopt cloud services, or the lack thereof.

Cookie banners targeted in latest action by advocacy group

What happened

  • Noyb, a European privacy advocacy group, has filed a second round of cookie consent complaints (270 in total), alleging that websites in the region are failing to properly solicit users’ authorization to be tracked for ad targeting.

  • Consent popups that lack a clear choice and/or employ illegal dark patterns to fool customers into “agreeing” to be monitored and profiled so that the publisher can profit from selling their attention are the problem.

  • The advocacy group’s response is straightforward: either fix your deceptive cookie pop-ups or face legal action.

  • Noyb said it will file formal complaints with EU data protection authorities if the websites receiving its complaints do not fix their non-compliant cookie banners.

Why it matters

  • This latest action by noyb on deceptive cookie banners comes after a first wave of 560 complaints it sent to sites last year, focusing on users of the OneTrust consent management platform, which it claims resulted in significant change, with nearly half (42%) of all violations it identified being remedied within 30 days (noyb gives sites 60 days to make recommended changes before it files a formal complaint).

  • While the EU’s General Data Protection Regulation (GDPR) has resulted in many cross-border complaints being funnelled through Ireland’s Data Protection Authority (DPA), creating a notorious bottleneck that has hampered GDPR enforcement, France has been able to take the lead on this issue because cookie consent falls under the older ePrivacy Directive


Samad Miah

Data Protection Consultant

Speak to me directly by Email, or
Telephone:+44 (0)20 3745 7843 


Samad has a strong track record in data protection, both as an industry practitioner and as a consultant, helping organisations successfully address their obligations towards the Information Commissioner’s Office and other regulatory bodies.

To discuss how the above or other data protection requirements impact your business, feel free to get in touch with our team. We provide our clients with pragmatic advice and support to help them achieve a robust and defensible position.


Stay in control of
your inbox

Register your details to receive our featured insights, news and analysis covered ‘In Perspective’ from our Data Protection team.

Stay up to date and discover how the requirements impact your business.