Skip to main content
Liverpool Echo

Company fined £60k after cyber attack

The National Crime Agency told the firm that information relating to its clients had been posted on the dark web

Comments
Dan Haygarth Liverpool Daily Post Editor and Regeneration Reporter
11:14, 16 Apr 2025Updated 12:21, 16 Apr 2025
The DPP Law office in Bootle
DPP Law has been fined £60,000(Image: Google)

A Merseyside law firm has been fined £60,000 after a cyber attack that led to highly sensitive and confidential personal information being published on the dark web. The Information Commissioner’s Office (ICO) found DPP Law Ltd, which has offices on Stanley Road in Bootle and Tithebarn Street in Liverpool city centre, failed to put appropriate measures in place to ensure the security of personal information held electronically.

According to the ICO, this failure enabled cyber hackers to gain access to DPP’s network, via an infrequently used administrator account which lacked multi-factor authentication (MFA), and steal large volumes of data.


This occurred in June 2022 when DPP suffered a cyber attack which affected access to the firm’s IT systems for over a week. A third-party consulting firm established that a brute force attempt gained access to an administrator account that was used to access a legacy case management system.


This enabled cyber attackers to move laterally across DPP’s network and take over 32GB of data, a fact DPP only became aware of when the National Crime Agency contacted the firm to advise information relating to its clients had been posted on the dark web.

The ICO said DPP did not consider that the loss of access to personal information constituted a personal data breach. As a result, it did not report the incident to the ICO until 43 days after it became aware of it.

However, DPP told the ECHO that it disagrees with the ICO's findings and it will be lodging an appeal. DPP said it cooperated fully with the investigation.

Article continues below

Andy Curry, ICO interim director of enforcement and investigations, said: "Our investigation revealed lapses in DPP’s security practices that left information vulnerable to unauthorised access.

"In publicising the errors which led to this cyber attack, we are once again highlighting the need for all organisations to continually assess their cybersecurity frameworks and act responsibly in putting in place robust measures to prevent similar incidents.

"Our investigation demonstrates we will hold organisations to account for a failure to notify where there was a clear obligation to do so at the time of the underlying incident.


"Data protection is not optional. It is a legal obligation, and this penalty should serve as a clear message: failure to protect the information people entrust to you carries serious monetary and reputational consequences."

DPP specialises in law relating to crime, military, family fraud, sexual offences and actions against the police. An ICO statement said: "The very nature of this work means it is responsible for both highly sensitive and special category data, including legally privileged information.

"As the information stolen by the attackers revealed private details about identifiable individuals, DPP has a responsibility under the law to ensure it is properly protected."


The law requires organisations to take continual and proactive steps to protect themselves against cyber attacks. This includes ensuring all IT systems have MFA or equivalent protection, regularly scanning for vulnerabilities and installing the latest security patches without delay.

A DPP spokesperson told the ECHO: "DPP Law fully cooperated with the ICO investigation regarding the cyber-attack in June 2022. We disagree with the conclusions reached by the Information Commissioner's Office, and we will be lodging an appeal.

"DPP Law holds the Law Society quality standard, Lexcel and is Cyber Essentials certified. This demonstrates our commitment to robust standards in both legal practice management (Lexcel) and cybersecurity (Cyber Essentials). These independent certifications are intended to assure clients and stakeholders of our adherence to best practices."

Article continues below

For the latest news and breaking news visit http://www.liverpoolecho.co.uk/news/. Get all the big headlines, pictures, analysis, opinion and video on the stories that matter to you.

Join the Liverpool ECHO Breaking News and Top Stories WhatsApp community to receive the latest news straight to your phone by clicking here.

Follow Liverpool Echo:

BusinessLiverpool City CentreBootle

reach logo

At Reach and across our entities we and our partners use information collected through cookies and other identifiers from your device to improve experience on our site, analyse how it is used and to show personalised advertising. You can opt out of the sale or sharing of your data, at any time clicking the "Do Not Sell or Share my Data" button at the bottom of the webpage. Please note that your preferences are browser specific. Use of our website and any of our services represents your acceptance of the use of cookies and consent to the practices described in our Privacy Notice and Cookie Notice.