News & InfoEP StoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

ICO issues £98,000 penalty following ransomware attack

Information Commissioner’s Office (ICO) imposed penalty on a leading UK law firm for breaching the UK General Data Protection Regulation (GDPR).
July 13, 2022
Blue graphic with map of UK and title ICO penalty following ransomware attack

On March 10, 2022 the Information Commissioner’s Office (ICO) imposed a £98,000 penalty on a leading UK law firm for breaching the UK General Data Protection Regulation (GDPR).

This decision has a number of useful takeaways for studios and production companies which operate in the UK.

What happened?

In August 2020 the law firm learned that its IT systems had been the subject of a ransomware attack, which had resulted in a personal data breach.

The attacker infiltrated the law firm’s network and encrypted 972,191 individual files, 60 of which were later released onto underground data marketplaces. The encrypted files included both personal data and special category data, including:

  • Basic identifiers
  • Health data
  • Economic and financial data
  • Criminal convictions
  • Data revealing racial or ethnic origin

The law firm commissioned a third party to investigate the incident, but it was unable to determine conclusively how the attacker had been able to access the network. However, it did find evidence of a known system vulnerability that could have been used to either access the network or further exploit the law firm once inside the network.

The Decision

The ICO found that the law firm had breached Article 5(1)(f) of the UK GDPR (“Integrity and Confidentiality”). Under Article 5(1)(f), personal data must be: "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."

The ICO acknowledged that the attacker was primarily responsible for the data breach. However, the law firm had contravened the UK GDPR by, among other things, having a vulnerable network which could be exploited.

In particular, the ICO stated that the law firm had failed to:

  • Implement multi-factor authentication (MFA) for its remote access solution (despite two-factor authentication being required under its GDPR and Data Protection Policy).
  • Encrypt its data when it was at rest (ie, when stored), despite ICO guidance from 2018 recommending this.
  • Apply a high-risk security patch until four months after it was released.
  • Delete stored court bundles after the seven-year retention period, some of which were exfiltrated through this attack. 

The Penalty

Based on the nature, gravity and duration of the infringement – including the number of data subjects affected and the level of damage they suffered – the ICO imposed a penalty of £98,000 on the law firm.

Key takeaways for productions

This decision has a number of key takeaways for studios and production companies operating in the UK.

Protect your data with MFA

The National Cyber Security Centre recommends the use of MFA to mitigate against password guessing and theft, including brute force attacks. According to the ICO, had MFA been used in this case, the likelihood of the attack would have been substantially reduced.  

Encrypt your data

Should an attacker obtain access to your data, effective encryption can prevent them from reading it, helping you to maintain the principle of data confidentiality under the UK GDPR.  

Delete data once you no longer need it

Article 5(1)(e) of the UK GDPR requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Keep information security at the forefront of your mind

This decision follows a number of recent ICO penalty decisions, including its decisions to fine the Home Office £500,000 and a charity £10,000 for breaches of the UK GDPR. Coupled with the recent announcement that the ICO is now able to keep up to £7.5 million of funds paid as a result of its civil monetary penalties – which it will use to “hold those who don't comply to account” – it’s clear that the ICO is continuing to crack down on organisations which breach the UK GDPR. As such, it’s essential to have sufficient safeguards in place to protect your crew data, and to maintain a record of those safeguards in case of a dispute.

For more information on how the Production Portal helps you to secure your production data, see our guide to information security.

Topic: UK

Related Content

uk-gdpr-compliance-for-productions

UK GDPR Compliance for Productions: Q&A with Sheridans

5/4/2022
Special category data, liability, data transfers and reporting - Sheridans answer your questions on the UK...
Topic: UK
More
uk-gdpr-and-how-productions-reduce-exposure-LC

The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

5/3/2022
Sheridans’ Associate Krishan Neelendra answers key UK GDPR questions from production companies and...
Topic: UK
More
Cabinet Office fined for disclosing addresses

Cabinet Office Fined £500,000 for Disclosing Addresses of High-Profile Individuals

7/9/2022
The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for accidentally...
Topic: UK
More
Blue graphic with map of UK and title ICO fines charity for GDPR breach

ICO Fines Charity £10,000 for UK GDPR Breach

7/9/2022
According to the ICO, the charity failed to apply appropriate organizational and technical security...
Topic: UK
More
Changes to UK right to work checks

Important Changes to UK Right to Work Checks

9/20/2022
On September 30, 2022 the UK rules around right to work checks will change. Here’s what productions need...
Topic: UK
More
Los Angeles Times logo-sq

Hollywood production in U.K. soars to record levels as crews complain of burnout

8/22/2022
Spending on film and high-end television shoots reach record-breaking amounts as production activity...
Compliant crew contracting panel-square

Compliant Crew Contracting in the UK

8/1/2022
Learn how to ensure your crew contracts are compliant with UK regulations and why the Production Portal is...
Topic: UK
Watch
contracting-in-a-covid-19-world-LC

Contracting in a COVID-19 World  

5/3/2022
The pandemic has affected how UK production companies contract crew. Here’s how to reduce the impact of...
terms-to-include-uk-contracts-LC

Terms to Include in UK Crew Contracts

5/3/2022
Common terms which studios and production companies include in their UK crew contracts.
Topic: UK
More
KJ Lamb and Simon Donovan

Empowering the Next Wave of Production Accountants

5/2/2022
The EP Production Portal team was delighted to participate in the biannual Netflix Assistant Production...
cell phone with sticky note stating sign here

Six e-Consent Myths (and Why They’re Not True)

5/2/2022
Sheridans Associate, Sarmad Saleh, debunks some common e-consent myths.
Topic: Legal
More
six-elements-for-uk-contracts-LC

Six Elements for Enforceable UK Crew Contracts

5/2/2022
Although parties to a crew contract can largely enter into whatever terms they choose, certain elements...
Topic: UK
More
recycling conversation

Sustainability in Production: Q&A with Nikki Saunders

4/22/2022
Nikki Saunders on sustainable filming practices, COVID-19, and why carbon offsetting isn’t a...
International Film Financing panel-featured

Film Financing Explained: International Financing

3/10/2022
International production experts discuss how producers can utilize financing systems outside of the US,...
Crew contracting in the UK-panel

Quick and Compliant Crew Contracting in the UK

2/9/2022
Neisha Glynternick and Sarmad Saleh from UK-based entertainment law firm Sheridans discuss crew...
Topic: Legal
Watch

Payroll & Finances

PayrollResidualsSmartStartNew SmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP Residency

Manage Multiple Productions

AssetHubSmartHubSmartHub Vault
Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2022 Entertainment Partners. All rights reserved.