Advanced Computer Software Group Ltd has a £3.07m fine to pay from the data protection regulator the ICO, for security failings that put the personal information of 79,404 people at risk, according to the watchdog.
Advanced provides IT and software services to customers including the NHS and other healthcare providers, and processes people’s personal information on behalf of them. The fine dates from a ransomware incident in August 2022. Hackers accessed some systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA). The cyber attack was widely reported, with reports of disruption to services such as the National Health Service’s non-emergency line, NHS 111, while some healthcare staff were unable to access patient records. The ICO found that personal information belonging to 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.
The ICO concluded that Advanced’s health and care subsidiary did not have the appropriate technical and organisational measures in place to keep its health and care systems fully secure prior to the 2022 incident – including gaps in the deployment of MFA, a lack of vulnerability scanning and inadequate patch management.
John Edwards, Information Commissioner, said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information. While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.
“People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.
“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”
The ICO announced a provisional intention to fine Advanced £6.09m in August 2024. Advanced queried the amount; and the ICO and Advanced have agreed a voluntary settlement. The ICO points to Advanced’s engagement with the UK official National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS after the attack and other steps to mitigate the risk to those impacted. For the details of the penalty notice, visit the ICO website.
Comments
Anna Collard, SVP of Content Strategy and Evangelist at the counter-phishing training platform KnowBe4, said: “While any data breach is regrettable I believe the reduction in the fine reflects the regulator’s recognition of Advanced’s proactive stance in the aftermath of the incident. Several factors contributed to the ICO’s decision, including Advanced’s engagement with key partners such as the National Cyber Security Centre, the National Crime Agency, and the NHS, as well as steps taken to mitigate risks to affected individuals.
“Regulators look beyond the incident itself—they assess not just the damage, but also the level of negligence and how an organisation responds under pressure. And while Advanced had serious shortcomings in their cybersecurity posture that ultimately led to the compromise, cyberattacks can affect even the most secure environments. What distinguishes resilient organisations is how effectively they respond, recover, and improve.
“Cyber resilience is increasingly critical in today’s threat landscape. It’s not only about defending against attacks, but about having the processes, partnerships, and mindset in place to limit impact and rebuild quickly. In this case, Advanced’s post-incident actions demonstrated a willingness to take accountability and strengthen their security posture, which is likely why the fine was reduced.
“This case serves as an important reminder that regulators are increasingly recognizing organisations that demonstrate accountability and resilience, not just compliance on paper.”
Pierre Noel, Field CISO EMEA at Expel, said that breaches can’t be completely avoided. He said: “This is why a strong strategy to navigate the aftermath of a ransomware attack is crucial for businesses. This first step is a solid and pre-emptive approach. The most adequate stance for a CISO is “always assume breach”, they should work on the assumption that something will go wrong, and be prepared for the worse. Once the attack has happened, you will be judged on how you handled the critical incident. Transparency and humility are key to maintaining trust with customers and colleagues. Never cover up the incident, and avoid finger-pointing; ultimately, the responsibility rests with you.
“Lastly, businesses and CISOs need to be wise in selecting security providers. Instead of solely focusing on providers with the best technology and service- which can quickly change- they should prioritise trust and long-term reliability. The key question to ask would be whether they will support us in a time of crisis. Once you have figured out the complex process of vendor selection, it gets easier to prepare for the ever-evolving threat landscape.”
