The Information Commissioner’s Office (ICO) found that Merseyside-based DPP Law Ltd had failed to put appropriate measures in place to ensure the security of personal information held electronically.

This failure enabled cyber hackers to gain access to DPP’s network, via an infrequently used administrator account which lacked multi-factor authentication (MFA), and steal large volumes of data.

DPP specialises in law relating to crime, military, family fraud, sexual offences and actions against the police. The very nature of this work means it is responsible for both highly sensitive and special category data, including legally privileged information.

As the information stolen by the attackers revealed private details about identifiable individuals, DPP has a responsibility under the law to ensure it is properly protected.

Andy Curry, director of enforcement and investigations (interim), said: “Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access.

“In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.

“Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident.

“Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences.”