A Derby law firm's confidential data was accessed in a cyber attack. It is understood that personal information about clients was among the data stolen.
On May 30, law firm Nelsons, which also has locations in Leicester and Nottingham, was the target of a cyber attack.
Two of Nelsons' Derby clients, who wished to remain anonymous, claim they only learned their information had been accessed six weeks after the incident. One of them went on to say that they had been informed that confidential data containing details about their identification had been stolen during the cyber attack.
He said: “It’s not good - it was out there six weeks previously before they notified me. That’s strange. From my point of view I’d have preferred to have known straight away so that I could have acted.
“I’ve also struggled to safeguard my information as best I can. I think this has affected quite a lot of people. I’ve gone back to square one.”
These items were only for this client, and Nelsons has stated that not everyone affected will have the same documents. It stated that it had taken appropriate and immediate action, notifying its clients of the data breach.
Furthermore, it claimed that the hackers, who are said to have copied personal information, had only accessed less than 2% of clients' data. The company reviewed relevant files and hired a team of outside IT experts to assist in restoring its systems. Derbyshire Constabulary are also assisting in the recovery.
This, it claims, will lessen the impact of the hack. The company have also informed the Information Commissioner's Office (ICO), which they were duty bound to do after such a breach.
An ICO spokesperson stated: “We are aware of the reported cyber incident involving Nelson’s Solicitors Limited and are currently making further enquires with the organisation.”
According to ICO guidelines, any data breach must be reported to affected customers "as soon as possible" after a company becomes aware of it.
Nelsons claims to be one of the top 200 law firms in the United Kingdom. Accident and medical claims, divorce and children, wills and inheritance, wealth management, business services, employment and HR, and property services are among its specialties.
A spokesperson said:
“Nelsons recently experienced a cyber security incident, however due to the processes we have in place there was minimal impact on our day-to-day operations and we were able to continue delivering for clients without significant interruption.
"As soon as we became aware of this issue, we took steps to contain the incident and engaged third-party cyber security specialists who have been working with us to investigate the matter. We are contacting individuals that have been potentially impacted to ensure they are proactively informed. We take our IT security and data protection responsibilities incredibly seriously and are liaising with our employees and clients regarding this matter.
"We have established that the data impacted would amount to less than 2% of the data which Nelsons holds. This percentage is not related to the number of cases or clients, but rather the data the firm holds. Unfortunately, we are not able to disclose commercial information relating to our clients or the firm’s data.
"It is our goal to support those impacted by the cyber security incident in the best way possible. We therefore put experts in place to best answer questions and offer tailored advice. In the notification letters, we also offered additional support through proactive fraud assistance, resolution services, and fraud resolution insurance reimbursement. Individuals were encouraged to take advantage of these services so they could access specialist support. As always, clients' regular Nelsons contacts are available for any other queries.
"Investigations of this nature take time and we did not want to contact individuals prematurely and cause undue alarm. Once we developed a better understanding of the information impacted, we notified identified individuals directly so that those potentially affected could take appropriate action."
At the EMCRC, we encourage law firms to sign up to our free core membership. By aligning your company with the Centre, you can get access to our Trusted Partners - cyber experts essentially - should you become a victim of a cyber attack, hack, or ransomware threat.
They can offer discounted disaster recovery fees due to the fact they operate in conjunction with us.
Signing up is easy and free and we'll be there in the background, ready just in case you do become a victim of cyber crime.
The NCSC and ICO share joint letter with the Law Society after increases in ransomware payments.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to email@example.com. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).