Tuckers Solicitors LLP

What happened

The ICO fined Tuckers Solicitors LLP, a criminal defence law firm, £98,000 after a ransomware attack compromised the personal data of 60 court bundles containing sensitive information relating to criminal proceedings. The attack encrypted 972,191 files, of which 24,712 related to court bundles. The compromised data included sensitive legal documents covering criminal cases, witness statements, and other highly confidential legal materials. The ICO found that Tuckers had failed to implement appropriate security measures: the firm did not use multi-factor authentication, patch management was inadequate, and there was no adequate encryption of personal data at rest. As a small law firm handling extremely sensitive criminal case data, the security obligations were particularly high.

Articles violated

Lessons learned

Law firms handling sensitive criminal case data must implement security measures proportionate to the extreme sensitivity of the information. Multi-factor authentication is a baseline requirement, not an optional enhancement. Small professional services firms are not exempt from GDPR security obligations — indeed, the sensitivity of their data may require higher standards. Regular patching and encryption of data at rest are fundamental security controls. This case demonstrates that even modest fines carry significant reputational damage for professional services firms.