EP NowEP StoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

ICO issues £98,000 penalty following ransomware attack

Information Commissioner’s Office (ICO) imposed penalty on a leading UK law firm for breaching the UK General Data Protection Regulation (GDPR).
July 13, 2022
Blue graphic with map of UK and title ICO penalty following ransomware attack

On March 10, 2022 the Information Commissioner’s Office (ICO) imposed a £98,000 penalty on a leading UK law firm for breaching the UK General Data Protection Regulation (GDPR).

This decision has a number of useful takeaways for studios and production companies which operate in the UK.

What happened?

In August 2020 the law firm learned that its IT systems had been the subject of a ransomware attack, which had resulted in a personal data breach.

The attacker infiltrated the law firm’s network and encrypted 972,191 individual files, 60 of which were later released onto underground data marketplaces. The encrypted files included both personal data and special category data, including:

  • Basic identifiers
  • Health data
  • Economic and financial data
  • Criminal convictions
  • Data revealing racial or ethnic origin

The law firm commissioned a third party to investigate the incident, but it was unable to determine conclusively how the attacker had been able to access the network. However, it did find evidence of a known system vulnerability that could have been used to either access the network or further exploit the law firm once inside the network.

The Decision

The ICO found that the law firm had breached Article 5(1)(f) of the UK GDPR (“Integrity and Confidentiality”). Under Article 5(1)(f), personal data must be: "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures."

The ICO acknowledged that the attacker was primarily responsible for the data breach. However, the law firm had contravened the UK GDPR by, among other things, having a vulnerable network which could be exploited.

In particular, the ICO stated that the law firm had failed to:

  • Implement multi-factor authentication (MFA) for its remote access solution (despite two-factor authentication being required under its GDPR and Data Protection Policy).
  • Encrypt its data when it was at rest (ie, when stored), despite ICO guidance from 2018 recommending this.
  • Apply a high-risk security patch until four months after it was released.
  • Delete stored court bundles after the seven-year retention period, some of which were exfiltrated through this attack. 

The Penalty

Based on the nature, gravity and duration of the infringement – including the number of data subjects affected and the level of damage they suffered – the ICO imposed a penalty of £98,000 on the law firm.

Key takeaways for productions

This decision has a number of key takeaways for studios and production companies operating in the UK.

Protect your data with MFA

The National Cyber Security Centre recommends the use of MFA to mitigate against password guessing and theft, including brute force attacks. According to the ICO, had MFA been used in this case, the likelihood of the attack would have been substantially reduced.  

Encrypt your data

Should an attacker obtain access to your data, effective encryption can prevent them from reading it, helping you to maintain the principle of data confidentiality under the UK GDPR.  

Delete data once you no longer need it

Article 5(1)(e) of the UK GDPR requires personal data to be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Keep information security at the forefront of your mind

This decision follows a number of recent ICO penalty decisions, including its decisions to fine the Home Office £500,000 and a charity £10,000 for breaches of the UK GDPR. Coupled with the recent announcement that the ICO is now able to keep up to £7.5 million of funds paid as a result of its civil monetary penalties – which it will use to “hold those who don't comply to account” – it’s clear that the ICO is continuing to crack down on organisations which breach the UK GDPR. As such, it’s essential to have sufficient safeguards in place to protect your crew data, and to maintain a record of those safeguards in case of a dispute.

For more information on how the Production Portal helps you to secure your production data, see our guide to information security.

Topic: UK

Related Content

ICO Issues 4.4M Penalty

ICO Warns Against Complacency as it Hands Out £4.4M GDPR Penalty

11/16/2022
The Information Commissioner’s Office (ICO) imposes hefty penalty for failing to protect employee personal...
Topic: Security
More
uk-gdpr-compliance-for-productions

UK GDPR Compliance for Productions: Q&A with Sheridans

5/4/2022
Special category data, liability, data transfers and reporting - Sheridans answer your questions on the UK...
Topic: UK
More
uk-gdpr-and-how-productions-reduce-exposure-LC

The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

5/3/2022
Sheridans’ Associate Krishan Neelendra answers key UK GDPR questions from production companies and...
Topic: UK
More
UK Court Issues Warning for Personal Data at Work

UK Court Issues Warning for those with Access to Personal Data at Work 

10/12/2022
UK Coventry Magistrates’ Court fines a former health adviser £3,000 for unlawfully accessing personal data...
Topic: UK
More
Cabinet Office fined for disclosing addresses

Cabinet Office Fined £500,000 for Disclosing Addresses of High-Profile Individuals

7/9/2022
The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for accidentally...
Topic: UK
More
Blue graphic with map of UK and title ICO fines charity for GDPR breach

ICO Fines Charity £10,000 for UK GDPR Breach

7/9/2022
According to the ICO, the charity failed to apply appropriate organizational and technical security...
Topic: UK
More

7 Things Production Finance Teams Need to Know for Budgeting in 2023

1/25/2023
Mark Hammond, VP of International Finance & Ops, shares some of the key factors production finance teams...
EP Newsroom-Thumbnail-PGGB

6FT From The Spotlight Wins Inaugural Earl of Wessex Award at PGGB Talent Showcase

1/25/2023
Film and TV industry charity 6ft From the Spotlight were awarded The Production Guild of Great Britain’s...

Entertainment Partners and Netflix Pledge £500K ($608K) to New PGGB Talent Development Fund

1/25/2023
Production Guild of Great Britain (PGGB) Talent Development Fund will support the development and...

New Union Agreement for Engaging Crew on UK HETV Takes Effect

1/20/2023
Pact/Bectu 2023 agreement makes a number of key changes to the terms and conditions for engaging crew.
Topic: UK
More
Master Series square Thumbnail Pact Bectu Agreement

Understanding the New Pact/Bectu TV Drama Agreement 2023

1/12/2023
Your comprehensive overview of the new Pact/Bectu TV Drama Agreement and how key changes will impact...
Topic: UK
Watch
Virtual Production

The UK Invests in Virtual Production as Content Boom Continues

1/10/2023
The UK is doubling down on Virtual Production infrastructure; learn how and why they’re leading the charge...
Topic: UK
More
Doctor Strange

9 Hollywood Blockbusters Actually Filmed in the UK

12/27/2022
Major US studios are taking advantage of what the UK has to offer, and clever set design and special...
Topic: UK
More

UK Production Incentives All Producers Should Know About

11/17/2022
Don't miss out on the UK's tax incentives, special programs, and national and regional funding...

Behind the Boom: Why the UK is a Hotspot for Production

11/17/2022
Explore the generous industry incentives, talent, and infrastructure available to productions filming in...

Three Mistakes That Can Slow Down Your Production Payroll (And How to Avoid Them)

11/11/2022
Stay compliant with UK rules and regulations, and get your crew and talent paid on time, with these...
UK Govt backtracks on growth plan

UK Government Backtracks on Growth Plan: What it Means for Production

10/18/2022
Former UK Chancellor Kwasi Kwarteng was replaced by Jeremy Hunt after 38-day run, and policies reversed in...
Topic: UK
More
Changes to UK Pensions Act

Proposed Changes to the UK Pensions Act Could Impact Production Budgets

10/12/2022
Reintroduced bill seeks to give UK government the power to extend pensions auto-enrollment to young and...
Topic: UK
More
UK Gov Growth Plan

Mini Budget; Big Changes: What the UK Government’s Growth Plan Means for Production 

10/12/2022
UK Chancellor Kwasi Kwarteng announces new Growth Plan (aka the “mini budget”) and a big shake up of the...
Topic: UK
More
Changes to UK right to work checks

Important Changes to UK Right to Work Checks

9/20/2022
On September 30, 2022 the UK rules around right to work checks will change. Here’s what productions need...
Topic: UK
More
Los Angeles Times logo-sq

Hollywood production in U.K. soars to record levels as crews complain of burnout

8/22/2022
Spending on film and high-end television shoots reach record-breaking amounts as production activity...
Compliant crew contracting panel-square

Compliant Crew Contracting in the UK

8/1/2022
Learn how to ensure your crew contracts are compliant with UK regulations and why the Production Portal is...
Topic: UK
Watch
contracting-in-a-covid-19-world-LC

Contracting in a COVID-19 World  

5/3/2022
The pandemic has affected how UK production companies contract crew. Here’s how to reduce the impact of...
terms-to-include-uk-contracts-LC

Terms to Include in UK Crew Contracts

5/3/2022
Common terms which studios and production companies include in their UK crew contracts.
Topic: UK
More
KJ Lamb and Simon Donovan

Empowering the Next Wave of Production Accountants

5/2/2022
The EP Production Portal team was delighted to participate in the biannual Netflix Assistant Production...
cell phone with sticky note stating sign here

Six e-Consent Myths (and Why They’re Not True)

5/2/2022
Sheridans Associate, Sarmad Saleh, debunks some common e-consent myths.
Topic: Legal
More

Payroll & Finances

PayrollResidualsSmartStartNew SmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP Residency

Manage Multiple Productions

AssetHubSmartHubSmartHub Vault
Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2023 Entertainment Partners. All rights reserved.