DPP Law Ltd, based in Merseyside, has been fined £60,000 by the Information Commissioner’s Office (ICO) after a cyber attack led to sensitive personal data being leaked on the dark web.
The breach occurred when hackers accessed DPP’s network through an unused administrator account that lacked multi-factor authentication. The ICO found that the firm had failed to implement adequate security measures to protect the data.
DPP Law handles highly sensitive cases—including criminal, military, family, and sexual offence matters—placing it under strict data protection obligations. The stolen information included legally privileged and special category data relating to identifiable individuals.
The case highlights the critical need for strong cybersecurity, especially in organisations managing confidential and sensitive information.
