Imagine receiving a call telling you that confidential client information – including sensitive medical and legal records – has appeared on the dark web. Your systems are still down. Your reputation is hanging by a thread. And worse, regulators are on the phone.
This is not a hypothetical.
In April 2025, the Information Commissioner’s Office (ICO) fined a small UK law firm £60,000 after a serious cyber attack. The reason? Basic cybersecurity failings that could happen to almost any organisation.
Could it happen to yours?
The Breach That Should Never Have Happened
DPP Law Ltd, based in Merseyside, suffered a major cyber attack in June 2022. Attackers exploited an administrator account protected only by a simple password. No multi-factor authentication. No extra safeguards.
Using this single weakness, the attackers accessed a legacy case management system. From there, they moved through the firm’s network and stole 32 gigabytes of highly sensitive personal data.
And the firm did not even realise it. They only learned of the breach when the National Crime Agency contacted them weeks later.
Ask yourself: how quickly would your organisation notice?
Sensitive Data, Serious Responsibility
DPP Law handled incredibly sensitive material: criminal defence files, family law cases, medical data, actions against police. In short, exactly the kind of information criminals would love to exploit.
This is not unusual. Many SMBs, not just law firms, hold sensitive data that could cause real harm if leaked. If you manage client information, staff details, medical records, or financial data, you are a target too.
Would your current cybersecurity controls stand up to scrutiny?
The ICO’s Findings: Familiar Mistakes
The ICO’s investigation found:
Critical accounts were not protected by multi-factor authentication
Legacy systems were poorly secured and accessible
Monitoring failed to spot abnormal activity, like mass data downloads
There was no timely incident response
The firm delayed reporting the breach for 43 days – breaching the UK GDPR 72-hour rule
Sound familiar? These are the same issues that trip up countless organisations every year.
The security mistakes were not exotic. They were basic.
Could you be overlooking the same gaps?
The £60,000 Fine: A Message to All Businesses
The ICO did not just fine DPP Law for the breach itself. They fined them because the breach was preventable.
Andy Curry, Director of Investigations at the ICO, made it clear: “Data protection is not optional. Organisations must continually assess their cybersecurity.”
In other words, it is not enough to have policies sitting in a drawer. It is not enough to have passed an audit years ago. You need active, living, breathing security in place.
Is your organisation really doing enough?
Lessons Every SMB Must Learn
This case shows that no business, however small, can afford to take cybersecurity lightly.
Here is what every SMB – and especially every small law firm – must urgently do:
- Enforce Multi-Factor Authentication Everywhere Passwords alone are not protection. MFA is cheap, easy to implement, and a legal expectation for critical systems.
- Identify and Secure Legacy Systems Outdated technology is a major risk. If a system is essential, isolate it and monitor it. If it is not, replace it.
- Monitor for the Unexpected Would you know if someone started downloading gigabytes of data? You need basic alerts and logging.
- Have a Proper Incident Response Plan If you suffer an attack, minutes matter. Have a clear, rehearsed plan for who acts, how, and when.
- Understand Breach Notification Rules Breaches must be reported to the ICO within 72 hours if there is any risk to individuals’ rights. Delay and you risk doubling your trouble.
- Take Special Care With Special Data The more sensitive the information you hold, the higher the bar. Medical data, legal files, criminal records – all demand gold-standard protection.
- Budget for Protection, Not Just Recovery Prevention is always cheaper than fines, lawsuits, and reputational damage.
If you are still relying on luck, now is the time to change.
This Could Easily Be Your Organisation
It is tempting to think “we are too small to be a target” or “we are not important enough.” DPP Law probably thought the same. They were not a global giant. Yet they still ended up compromised, fined, and on the front pages.
Cyber criminals do not discriminate. They follow the path of least resistance.
Is your organisation the low-hanging fruit they are looking for?
Today, you have a choice. You can strengthen your defences. You can patch your weaknesses. You can prepare for the worst and reduce the risk dramatically.
Or you can do nothing and hope for the best.
What will your decision be?
If you are not sure whether your organisation would pass the test, get in touch. Our team specialises in helping SMBs put the right cybersecurity foundations in place – without breaking the bank.
