- Advanced Software Company has been fined by ICO for a data violation
- This is the first penalty for a data processor
- The details of over 79,000 people were put in danger
The British Information Commissioning Office (ICO) has issued a $ 3.07 million pound to the software company Advanced Computer Group LTD following a 2022 ransomware attack, where NHS data was stolen and systems were encrypted, putting the personal information about 79,404 people at risk.
This is the first fine from ICO given to a data processor and acts as a “sharp reminder that organizations risk becoming the next goal without robust security measures in place,” the Commissioner said.
The attack caused disturbances in critical services at the time, including the NHS 111, and meant that some healthcare professionals were unable to access patient records. The stolen information included patient phone numbers, medical items and most about access information for the homes for 890 people who received care at home.
Inadequate protection
Told an advanced spokesman Techradar Pro The incident was “absolutely regrettable” and that the company is glad to see the case completed,
“With threat actors operating with rising sophistication, it is over all companies to ensure that their cyber position is continuously strengthened. Cyber security is still a primary investment in our business and we have learned a lot as an organization since this attack.”
ICO’s study found that Advanced Computer Group LTD did not deploy adequate technical and organizational measures to keep health and car systems fully safe before the incident and pointed to gaps in the implementation of multiple factor approval, insufficient patch management and ‘a lack of extensive vulnerability scan’.
“The security goals of Advanced’s subsidiary fell seriously on what we would expect from an organization that processes such a large number of sensitive information,” confirms John Edwards, Information Commissioner.
“While Advanced had installed multi-factor approval across many of its systems, the lack of complete coverage meant that hackers could access, which puts thousands of people’s sensitive personal information in danger.”
The company was hit by a preliminary fine of £ 6m in August 2024, but this was reduced after consideration was made to ICO, including Advanced’s “proactive engagement with NCSC, NCA and NHS in the wake of the attack and other steps taken to reduce the risk of those affected.”
