On 30 May 2022, Nelsons – a Derby-based law firm with branches in Leicester and Nottingham – experienced a cyber-attack. In this quick guide, our expert data protection solicitors explain what happened in the Nelsons data breach.
The legal sector is a lucrative target for hackers, with solicitors holding some of our most sensitive information. As such, strict policies and procedures must be in place to ensure the safe processing of client data. But all too often, this is not happening, and on 18 July 2022, Derby-based law firm Nelsons emailed clients to let them know that their data could have been accessed by cybercriminals.
The firm, which also has branches in Leicester and Nottingham, confirmed that it had been “the victim of a cyber-incident which caused disruption to our IT systems”.
The incident took place on 30 May 2022. This means that private data was in the hands of criminals for six weeks before clients were informed. Had they been told earlier, these clients could have taken immediate action to protect themselves.
According to Nelsons, the incident happened when an unauthorised third party gained access to part of its systems.
The third-party later claimed that it successfully copied a quantity of Nelsons’ data during this attack. This includes information provided by clients to Nelsons to verify their identity.
Should this information be used by cybercriminals, the consequences could be devastating. At Keller Postman UK, we have seen many cases where identification data is sold on the dark web and used to carry out identity theft, fraud, and phishing scams.
Nelsons took immediate steps to contain the security incident after it was detected. It also alerted the Information Commissioner’s Office (ICO), the Solicitors Regulation Authority (SRA), Financial Conduct Authority (FCA) and the National Cyber Security Centre (NCSC).
However, questions remained about why the firm took so long to alert clients, especially as it acknowledges that “data of this type could in theory be used as part of attempted identity theft or fraud” and “also contains personal and sensitive information”.
By signing up to CyberScout, Nelsons clients gained access to “certain out-of-pocket expenses” they may incur in the event that they have fraud or identity theft issues. This includes things like postage, travel costs, lost wages, and replacement documents. But this didn’t give clients justice for the breach of their data protection rights.
If Nelsons’ data security processes made the attack possible, affected clients likely had a strong compensation claim. Nelsons notified everyone affected, and if you received this email, you were eligible to join our data breach action against the firm.