The data protection watchdog the ICO says it proposes to fine a software firm £6.09m, after a ransomware attack in August 2022 when hackers accessed systems via a customer account that did not have multi-factor authentication.
The hack of Advanced Computer Software Group Ltd meant disruption to the NHS phone line 111, and that healthcare workers could not access records. The ICO’s provisional finding is that personal information belonging to 82,946 people was exfiltrated; such as phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.
Usually, the ICO does not publicise cases at this provisional stage but waits until a final decision.
John Edwards, UK Information Commissioner, urged all, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication. He said: “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.
“Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.
“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”
Comment
Brian Boyd, head of technical delivery at i-confidential, said: “This is a huge fine that highlights the importance the ICO is placing on organisations adopting good cyber hygiene. According to reports, Advanced Computer Software had no MFA enabled on some of the accounts that access their systems, which allowed criminals to easily break in using a stolen password. This is a major red flag. There are many places, critical accounts, critical applications, remote access, etc where MFA is a must. Passwords are lost or stolen every day, so enabling MFA is one of the only ways to prevent criminals gaining access to networks through these credentials.
“The incident was also another reminder of the dangers that can occur when the security of suppliers is weak. In this case, the attack impacted the NHS, which caused worrying disruptions to health care for UK citizens. This is a situation that must be avoided. However, the recently announced Cyber Security and Resilience Bill has been designed to enhance supply chain security across critical industries, so it is clear the government is already actively working to combat these threats.”
