Cybersecurity Is Not Optional: How a £60K Fine Just Woke Up Small Law Firms

Once upon a time, small law firms believed they were invisible to hackers. Too small, too niche, too "not worth the effort," right? Fast forward to reality: a small firm just got slapped with a £60,000 fine after a cyber attack that could have been avoided with, frankly, basic cyber hygiene.

Still think "it won't happen to us" is a business strategy? Let's take a look at the spectacular faceplant of DPP Law Ltd, and what it means for every small firm still trusting their IT security to crossed fingers and good intentions.

The DPP Law Disaster: A Cautionary Tale

In June 2022, DPP Law Ltd — a Merseyside-based firm dealing with sensitive legal matters like criminal defence and family law — found itself in the middle of a cyber attack. And not the "nuisance" kind, either. Their systems were down for over a week. Worse, the National Crime Agency had to break the bad news that 32GB of stolen client data had popped up on the dark web.

It turned out that a rarely used admin account, protected by a password and absolutely nothing else, was brute-forced by an attacker. No multi-factor authentication (MFA). No warning signs. No chance, really.

And then — because things clearly weren't bad enough — DPP decided not to report the breach for 43 days. GDPR requires reporting within 72 hours. Forty-three days. Let that sink in.

The ICO's Response: Polite, Firm, and £60,000 Later

The Information Commissioner's Office (ICO) conducted an investigation and, shockingly, did not hand out gold stars. Instead, they found:

• No MFA on critical admin accounts

• Legacy systems wide open for attack

• No effective breach detection

• Breach notification rules completely ignored

In return, DPP Law received a £60,000 fine and the kind of reputational hit that no amount of Lexcel accreditation can polish over.

Small firm, big problem.

Cybersecurity Myth #1: "We're Too Small to Target"

Wrong. Dead wrong. Hackers love small firms because, frankly, they expect you to be asleep at the wheel. Less security. More sensitive data. Easier wins.

If you still think criminals are only aiming for multinational giants, ask yourself: Would a thief rather crack Fort Knox or sneak through an unlocked backdoor in a sleepy village?

Exactly.

Cybersecurity Myth #2: "We Have Cyber Essentials, So We're Fine"

DPP had Cyber Essentials certification. Spoiler: it did not save them.

Certification is a starting point. Not a force field. If you treat a basic audit checklist as "job done," you are not secure — you are a sitting duck with paperwork.

Cyber Essentials tells you where the floor is. You still have to build the walls and roof yourself.

And here’s the kicker — Cyber Essentials is an annual exercise. Done properly, it should have picked up the very weaknesses that allowed the breach to happen. Skipping over old risks and rubber-stamping your renewal is not the same as actually being secure.

Are you building, or are you just admiring your floor tiles?

Basic Cyber Hygiene: Not Rocket Science

Here are some facts even the ICO is tired of repeating:

• MFA stops most account breaches. It is not optional.

• Patch your systems. Not when you feel like it. Promptly.

• Monitor your network. If 32GB of data leaves your building, someone should probably notice.

• Have an incident response plan. Preferably one that doesn't involve "panic quietly for six weeks."

• Report breaches within 72 hours. Not "whenever you get round to it."

None of these steps are expensive. Most are cheaper than replacing all your clients' trust in you after their private data is sold to the highest bidder.

DPP's Delayed Breach Report: How to Make a Bad Situation Worse

When DPP finally reported the breach — well after the legal deadline — they claimed they thought it was just "loss of access," not a real data breach.

Bless.

When confidential client data is waltzing around the dark web, that is a breach. Pretending otherwise does not make it go away. It makes regulators angry. And it makes fines bigger.

Still think 43 days is a reasonable timeframe? You might want to set a reminder. Or better yet, put a real breach notification process in place.

Legacy Systems: The Quiet Saboteur in Your Office

DPP's attackers strolled in via a creaky old legacy system. Probably one everyone meant to replace "one day."

Old systems are like unsecured garden sheds: a nice place for burglars to get started.

If you still have ancient case management systems lurking in your server room, newsflash: so do hackers. They call it "low-hanging fruit."

Audit your legacy kit. Patch it, isolate it, or finally put it out of its misery. Waiting "until budget allows" is another way of saying "until we're hacked."

What Small Law Firms Must Learn (Preferably Yesterday)

• Turn on MFA for every account you care about.

• Patch everything. Not just Windows. Routers. Printers. That weird timesheet software Dave from accounts installed in 2013.

• Monitor your systems for unusual activity. Thirty-two gigabytes do not move invisibly.

• Have a plan for incidents. Not a wish. A plan.

• Take breach reporting seriously. Your regulator does.

• View Cyber Essentials as a floor, not a roof. Getting certified is good. Thinking you're done is bad.

Questions Every Small Firm Should Be Asking (Right Now)

• When was the last time we tested our backups?

• Who is responsible for monitoring for breaches?

• Are all our critical systems protected by MFA?

• Could we detect a breach before the NCA rings us?

• If we had to report a breach today, would we know how?

Final Thought: The Cost of Doing Nothing

DPP Law Ltd is now £60,000 lighter. Their reputation has taken a beating. All because basic cyber hygiene was treated as an optional extra.

In today's world, cybersecurity is not something you "get around to". It is a core part of running a professional practice. Like paying your staff or showing up for court on time.

If you are still crossing your fingers and hoping for the best, ask yourself one more question: When the fine lands, will it be cheaper than doing it right in the first place?

Spoiler: it won't be.

Considering Cyber Essentials certification or improving your firm's cybersecurity posture? Now is the time. Basic cyber hygiene protects your clients, your reputation, and your bottom line. Getting started is easier — and cheaper — than surviving a breach.

Sources