Peter A Clarke

The UK Information Commissioners Office (“ICO”) has fined Advanced Computer Software Group Ltd (“Advanced”) some £3.07 million for inadequate security which resulted in a a ransomware attack in August 2022 which  disrupted the operation of NHS services and impacted 79,404 people. The ICO found the Advanced’s security measures fell seriously short of what that  expect from an organisation processing  a large volume of sensitive information. 

While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk. Hackers were able to access Advanced’s systems via a customer account. Access to that account was not protected by multi-factor authentication. Once in the systems, the hackers were able to exfiltrate data belonging to 79,404 people.  That included, with respect to 890 people receiving home care, details of how to gain entry to their property. 

Last year, the ICO signalled its intention to fine Advanced £6.09m. After considering Advanced’s submissions it reduced the fine to  £3.07m. One but not the only reason for the reduction was Advanced’s “proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted”.  Other factors were Advanced’s notification to customers within 24 hours of discovery irrespective of whether they were affected, providing a team of 18 people to restore  infrastructure and engaging external experts to undertake a forensic investigation and analysis of the data impacted.  Advanced also undertook a comprehensive review of potentially impacted data.  There are lessons in the Australian context.  It is important for an organisation to react quickly, decisively and engage with all relevant authorities. That means having a plan.

The statement provides:

The Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.? 

Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations.? 

The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA). The cyber attack was widely reported at the time, with reports of disruption to critical services such as NHS 111, and other healthcare staff unable to access patient records.  

The media release provide:

• • ICO confirms that a subsidiary of Advanced broke data protection law by failing to fully implement appropriate security measures such as multi factor authentication coverage prior to 2022 attack?
  • Voluntary settlement reached with Advanced acknowledging the regulator’s?decision and agreeing to pay the reduced fine without an appeal?
  • Information Commissioner: “Today’s decision is a stark reminder that organisations risk becoming the next target without robust security measures in place.”  

We have fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.? 

Advanced provides IT and software services to organisations, including the NHS and other healthcare providers, and processes people’s personal information on behalf of these organisations.? 

The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA). The cyber attack was widely reported at the time, with reports of disruption to critical services such as NHS 111, and other healthcare staff unable to access patient records.  

The investigation found that personal information belonging to 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.  

Our investigation concluded that Advanced’s health and care subsidiary did not have the appropriate technical and organisational measures in place to keep its health and care systems fully secure prior to the 2022 incident – including gaps in the deployment of MFA, a lack of comprehensive vulnerability scanning and inadequate patch management.? 

John Edwards, Information Commissioner, said:

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information. While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant?hackers could gain access, putting thousands of people’s sensitive personal information at risk.?

“People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.?

“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information -?there is no excuse for leaving any part of your system vulnerable.”? 

We announced our provisional intention to fine Advanced £6.09m in August 2024. Advanced then submitted representations on the provisional decision, which have been carefully considered by the ICO.? 

Several factors from these representations led to a reduction in the fine, including Advanced’s proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted.? 

The ICO and Advanced have now agreed a voluntary settlement. Advanced has acknowledged our decision to impose a reduced fine and agreed to pay a final penalty of?£3,076,320 without appealing.  

John Edwards added:

“I welcome the settlement with Advanced which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process.”? 

Organisations must be taking proactive steps to assess and mitigate risks, such as implementing comprehensive MFA (or an equivalent measure), regularly scanning for vulnerabilities and keeping systems up to date with the latest security patches.? 

We have detailed guidance on protecting systems from ransomware attacks, as well as guidance on the responsibilities of data processors and controllers.? 

Last year, we shared lessons learnt from common security mistakes and called on organisations to do more to combat the growing cyber threat.? 

The full monetary penalty notice can be found here.

This is the first time that the ICO has imposed a monetary penalty against a data processor under the GDPR. Previously the ICO was only able to impose fines against the data controllers.

The obvious lesson is the importance of having multi-factor authentication  in place across the entire platform.

The breach is reported by Computer Weekly with Advanced Software fined £3m over LockBit attack, Medical Device Network with Advanced to pay $3.9m ICO fine over NHS cyber breach.