The Information Commissioner’s Office (ICO) has imposed a £3.07 million fine on Advanced Computer Software Group Ltd for security deficiencies that jeopardised the personal data of almost 80,000 people.
This case highlights the importance of proactive cybersecurity practices, including multi-factor authentication, vulnerability scanning, and up-to-date security patches.
The fine stems from a ransomware attack in August 2022, in which hackers accessed Advanced’s system via a customer account lacking multi-factor authentication. This resulted in the exposure of sensitive information, including access details to homes of individuals receiving care.
The ICO’s key findings included:
- Advanced’s health and care subsidiary failed to implement sufficient technical and organisational security measures, including inadequate multi-factor authentication coverage, vulnerability scanning, and patch management.
- The attack disrupted critical services, including NHS 111, and compromised data on thousands of individuals, including healthcare access information for homecare patients.
- Despite having multi-factor authentication in place for some systems, incomplete coverage allowed hackers to bypass defences and access personal information.
Advanced voluntarily accepted the ICO’s decision, agreeing to pay the reduced fine without appealing.
The original fine of £6.09 million was lowered to £3.07 million after considering Advanced’s cooperation with authorities, including the National Cyber Security Centre, National Crime Agency, and NHS, post-attack.
John Edwards, the Information Commissioner, emphasised that the incident serves as a reminder for all organisations, particularly data processors and those handling sensitive data, to ensure robust security protocols are in place. He urged organisations to secure all external connections with multi-factor authentication to avoid becoming potential cyberattack targets.
