Software Provider Hit with £3 Million Fine After Ransomware Attack Exposes Personal Data

Key Takeaways

• £3.07m Fine for Advanced: Advanced Computer Software Group Ltd faces a £3.07 million fine after failing to implement adequate cybersecurity measures, which resulted in a ransomware attack compromising the personal data of 79,404 individuals.
• Ransomware Attack Details: The 2022 attack, affecting Advanced's health and care subsidiary, exploited a customer account that lacked multi-factor authentication (MFA), leading to disruptions in critical NHS services and theft of sensitive data.
• Security Failings Identified: The ICO investigation revealed serious security gaps, including incomplete MFA deployment, lack of vulnerability scanning, and inadequate patch management.
• Settlement and Fine Reduction: Advanced agreed to a reduced fine following proactive cooperation with the National Cyber Security Centre (NCSC), National Crime Agency (NCA), and the NHS. The fine was lowered from an initial £6.09 million to £3.07 million.

Deep Dive

Advanced Computer Software Group Ltd (Advanced) has been slapped with a £3.07 million fine following a ransomware attack that compromised the personal data of 79,404 individuals. The fine comes after the company’s health and care subsidiary failed to implement sufficient security measures, leaving their systems vulnerable to a cyberattack that had widespread repercussions for critical healthcare services.

This attack, which took place in August 2022, disrupted vital NHS services, including NHS 111, and left healthcare staff unable to access patient records. The breach occurred after hackers gained access to systems via a customer account that was not protected by multi-factor authentication (MFA), a basic security feature designed to block unauthorized users from entering sensitive systems. As a result, the hackers were able to steal valuable personal information, including details about how to enter the homes of 890 people receiving home care.

The ICO's investigation painted a troubling picture. While Advanced had implemented MFA on many of its systems, it wasn’t enough. The company had serious gaps in its security measures, including incomplete vulnerability scanning and poor patch management. These shortcomings proved to be a costly oversight, allowing hackers to bypass the company’s defenses and cause chaos in the healthcare sector.

John Edwards, the Information Commissioner, didn’t mince words when discussing the findings.

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organization handling such a large volume of sensitive data,” Edwards remarked. “People should never have to wonder if their medical records are safe. Trust is everything, and organizations must meet their obligations to protect personal information.”

While the fine is significant, it’s worth noting that it was reduced from the initial £6.09 million after Advanced worked proactively with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the NHS following the attack. This cooperation, along with other actions taken to mitigate the impact on those affected, led to a voluntary settlement between the ICO and Advanced. The company has agreed to pay the final fine without appealing the decision, bringing some closure to a case that has drawn attention for its high stakes in the healthcare sector.

“This settlement provides clarity and helps avoid the delays and expenses of a drawn-out appeals process,” Edwards added, welcoming the resolution. “There is no excuse for leaving any part of your system vulnerable.”

With cyberattacks becoming more common and increasingly sophisticated, it has become absolutely essential that businesses ensure that every part of their infrastructure is protected, from external connections to internal systems.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.