In today's landscape, where organisations commonly hold vast amounts of personal and sensitive personal information digitally, data security is paramount both within those organisations and throughout the wider supply chain.
The recent decision by the Information Commissioner's Office (ICO) to fine Advanced Computer Software Group Ltd (Advanced) £3.07 million, being the first fine under the UK GDPR against a data processor, underscores the critical need for robust cybersecurity measures internally, and – importantly - for those with whom you do business.
Background
Advanced is a prominent provider of IT and software services to healthcare organisations, including the NHS and, as was well documented at the time, faced a significant ransomware attack in August 2022. This attack exposed the personal information of over 79,000 individuals, including sensitive details about home care patients.
The attack was facilitated by hackers exploiting a vulnerability within a customer account which lacked multi-factor authentication (MFA), leading to widespread disruption of critical services such as NHS 111.
The ICO's investigation revealed that Advanced's health and care subsidiary had failed to implement comprehensive security measures, including adequate MFA coverage, vulnerability scanning, and patch management. These deficiencies allowed hackers to access sensitive data, placing thousands of individuals at risk.
Regulatory Response and Settlement
Initially, the ICO announced an intent to fine Advanced £6.09 million, reflecting the severity of the breach. However, following Advanced's proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the NHS, the fine was reduced to £3.07 million. The reduction in fine highlights the importance of co-operation and remedial action in mitigating regulatory penalties.
As the first fine of its kind against a data processor under the UK GDPR, the fine underpins the need for both controllers and processors alike to ensure cyber resilience and the importance of mitigating key vulnerabilities.
John Edwards, the Information Commissioner, added the fine is a "stark reminder" to organisations to ensure that that they have "robust security measures in place" and added that "there is no excuse for leaving any part of your system vulnerable."
This fine demonstrates the importance of organisations adopting robust security measures, including MFA, to keep data secure.
Implications for Organisations
The breach at Advanced serves as a critical lesson for organisations handling sensitive data and illustrates the significant consequences of inadequate security measures, not only in terms of regulatory penalties but also in the disruption of essential services and the erosion of public trust.
In addition, it is essential for organisations to understand their supply chains and assess potential risks, judging the adequacy of the protections they have in place, and strengthening their cyber resilience. In order to achieve this, it is crucial that organisations have sufficient due diligence processes in place to identify any such risks at the procurement and on-boarding stage.
Conclusion
The Advanced data breach underscores the necessity of proactive risk management and robust data protection strategies. Cybersecurity must be prioritised through technical and organisational measures, and an understanding of the legal and regulatory backdrop, in order to protect sensitive and significant datasets and operational resilience.
For organisations seeking guidance on cyber resilience or incident response, please contact CyberSecure 360.
