A single forgotten account. Thirty-two gigabytes of privileged data. One devastating breach.

DPP Law Ltd, a UK-based legal firm, was fined £60,000 by the Information Commissioner’s Office (ICO) after a cyberattack exposed highly confidential client data — including legally privileged information — on the dark web. The attack was traced back to a legacy administrator account from 2001, still active and unprotected by multi-factor authentication or egress logging, giving attackers a direct route to exfiltrate sensitive data undetected.

The firm discovered the breach only when contacted by the National Crime Agency, and a 43-day delay in reporting further worsened penalties. In total, 682 clients and 109 experts were affected — many suffering severe personal and psychological harm.

Presented by ProtekCyber, UK-based cybersecurity consultancy helping businesses build clarity, control, and cyber confidence, this episode breaks down how simple security oversights led to catastrophic consequences. We examine why the ICO held even a small law firm accountable, the legal and ethical implications under GDPR, and the critical lessons every professional services firm must learn about governance, auditing, and regulatory compliance.

With a 77% surge in cyberattacks on UK law firms, this case is a stark warning that no organisation is too small to be targeted — and that failure to secure legacy systems, enforce MFA, and establish a proactive incident response plan can lead to irreversible reputational and financial damage.

ProtekCyber — Where clarity meets control, and businesses meet cyber confidence.

Web: ⁠⁠⁠www.protekcyber.co.uk⁠⁠ | Email: Info@protekcyber.co.uk | Tel: 020 4634 1971

Listen now — before your business becomes the next headline.