Ransomware fine fuels security warning to all UK firms

The Information Commissioner’s Office has reiterated its warning to all UK organisations to protect personal data with robust security measures or face the full force of the law – and potentially a multi-million pound fine – as concerns grow over the inexorable rise of ransomware attacks.

The move comes as the ICO has just slapped a £3.07m penalty on one tech company which works for the NHS and other healthcare providers, after an investigation uncovered security failings that put the personal information of 79,404 people at risk.

Advanced Computer Software Group provides IT and software services and processes people’s personal information on behalf of these organisations.

The fine relates to a ransomware incident in August 2022. Hackers accessed certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA).

The cyber attack was widely reported at the time, with disruption to critical services such as NHS 111, and other healthcare staff unable to access patient records.

The ICO investigation found that personal information belonging to 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.

Its probe concluded that Advanced’s health and care subsidiary did not have the appropriate technical and organisational measures in place to keep its health and care systems fully secure prior to the 2022 incident – including gaps in the deployment of MFA, a lack of comprehensive vulnerability scanning and inadequate patch management.

Information Commissioner John Edwards said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.

“People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it.

“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information - there is no excuse for leaving any part of your system vulnerable.”

The regulator had originally planned to fine the company £6.09m but Advanced then submitted representations on the provisional decision, which have been carefully considered by the ICO.

Several factors have led to a reduction in the fine, including Advanced’s proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted.

The ICO and Advanced have now agreed a voluntary settlement. Advanced has acknowledged the ICO’s decision to impose a reduced fine and agreed to pay a final penalty of £3,076,320 without appealing.

Edwards added:“I welcome the settlement with Advanced which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process.”

The regulator has stressed that organisations must be taking proactive steps to assess and mitigate risks, such as implementing comprehensive MFA or an equivalent measure, regularly scanning for vulnerabilities and keeping systems up to date with the latest security patches.