The UK Information Commissioner’s Office (ICO) has levied a £3.07 million ($3.95 million) fine against Advanced Computer Software Group Ltd for a ransomware attack in 2022 that exposed the sensitive personal data of 79,404 individuals, including NHS patients.
The attack, which disrupted key NHS services like 111 emergency services in August 2022, was traced back to Advanced, a British-managed service provider (MSP) that supplies various health-related products to the NHS. These include systems like Adastra, Caresys, Carenotes, Odyssey, and others used for patient management and health services.
While the company initially kept details of the ransomware group under wraps, it was later revealed that LockBit, a notorious cybercriminal group, was behind the breach. The attackers exploited compromised credentials to gain access to a Staffplan Citrix server and then moved laterally into Advanced’s network.
The ICO’s investigation highlighted significant security shortcomings within Advanced, including poor vulnerability scanning, inadequate patch management, and the lack of comprehensive multi-factor authentication (MFA) coverage. While MFA was implemented across many systems, gaps in coverage allowed the attackers to infiltrate the network and exfiltrate sensitive data.
Information Commissioner John Edwards criticized the company’s security practices, stating, “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organization processing such a large volume of sensitive information.”
While the fine is notably lower than the £6.09 million ($7.74 million) originally considered in 2024, it marks a significant moment in ICO’s enforcement actions, as it is the first fine imposed on a data processor rather than a data controller. Past ICO fines for data breaches have targeted companies like British Airways and Marriott, including a record £20 million fine on British Airways for a 2018 breach.
