Tuckers Solicitors Data Breach: £98,000 ICO Fine and the Ransomware Attack That Exposed Criminal Case Files

What Happened: The Ransomware Attack

In August 2020, Tuckers Solicitors became aware that ransomware had been deployed across its systems. The attackers encrypted the firm's data and, in a now-common double-extortion tactic, exfiltrated files before encryption — publishing them online when no ransom was paid. The published files included court bundles relating to over 60 clients in criminal proceedings, containing witness identities, prosecution evidence, and highly sensitive case papers. The attack was traced to a compromised remote desktop protocol (RDP) connection — an unsecured remote access vector that remains one of the most common initial access points for ransomware attackers.

The ICO Investigation: What the Regulator Found

The ICO's investigation — which concluded with a £98,000 fine in 2022 — found specific failures at Tuckers that allowed the breach to occur and escalate:

• Failure to implement multi-factor authentication on remote access systems, including the RDP connection used by the attacker
• Absence of adequate vulnerability management and patching processes
• Insufficient monitoring of remote access activity that could have detected the intrusion earlier
• Inadequate data minimisation — archival data that should have been deleted or separately secured was accessible in the attack
• No effective encryption of archived case files, meaning data exfiltrated by the attacker was immediately readable

The Nature of the Data: Why This Breach Was Particularly Serious

Criminal defence case files represent some of the most sensitive personal data processed by any organisation. The ICO's aggravated assessment of the breach reflected the extraordinary sensitivity of what was exposed:

• Witness statements — individuals who gave evidence or were due to give evidence in criminal proceedings, now identifiable
• Prosecution materials — containing details of alleged offences and the individuals charged
• Legal professional privilege material — documents created under the protection of privilege, now in the public domain
• Personal data relating to victims — including in matters involving sexual offences and domestic violence
• Immigration and custody status of defendants in ongoing proceedings

Lessons for UK Law Firms: The Technical Controls That Could Have Prevented This

The Tuckers breach is a blueprint for what not to do — and equally a roadmap for what every law firm should have in place:

• MFA on all remote access: the single control most likely to have prevented initial access via the compromised RDP connection
• RDP hardening or elimination: if remote desktop access is needed, it should be behind a VPN with MFA — not exposed to the internet
• Endpoint Detection and Response (EDR): would have flagged the lateral movement and ransomware deployment before full encryption
• Data classification and segregation: highly sensitive archived files should be in cold storage with restricted access, not on the same accessible systems
• Backup integrity: clean, offline backups would have allowed restoration without paying ransom
• BlackFog data exfiltration prevention: specifically designed to prevent data from leaving devices even after compromise

The Regulatory Consequences: SRA and ICO Implications

The Tuckers case established important precedent for legal sector enforcement. The ICO's fine reflected both the sensitivity of the data and the firm's failure to implement basic controls expected of any data controller. The SRA was also notified and conducted its own review of the firm's systems and controls. For any firm in criminal defence — or any practice area handling sensitive personal data — the Tuckers case is now the benchmark the regulators apply.

Frequently Asked Questions