Birmingham software firm fined £3.07m after data breach

The Information Commissioner’s Office (ICO) has imposed a £3.07 million fine on Birmingham-based Advanced Computer Software Group Ltd due to security lapses that exposed the personal information of nearly 80,000 individuals. This penalty comes after a ransomware attack in August 2022, which notably disrupted NHS services and compromised sensitive data.

Advanced Computer Software Group, known for providing IT services to the NHS and other healthcare providers, was attacked via an inadequately secured customer account that lacked multi-factor authentication (MFA). The breach led to significant disruptions, including NHS 111 service outages and healthcare workers being unable to access patient records.

The ICO’s investigation highlighted that Advanced’s health and care subsidiary failed to implement necessary security measures, such as comprehensive MFA, thorough vulnerability scanning, and effective patch management. Consequently, hackers could access sensitive personal information, including entry details to the homes of 890 individuals receiving home care.

John Edwards, the Information Commissioner, criticised the firm’s security protocols, stating, “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information. While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

The ICO initially considered a higher fine of £6.09 million but reduced the penalty following representations from Advanced, which highlighted their proactive steps in mitigating the breach’s impact. These included engaging with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the NHS.

Ultimately, Advanced agreed to a voluntary settlement with the ICO, acknowledging the decision and opting not to appeal. “I welcome the settlement with Advanced which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process,” Edwards added.

An Advanced spokesperson remarked on the resolution, “What happened over two and a half years ago is wholly regrettable. With threat actors operating with increasing sophistication it is upon all businesses to ensure their cyber posture is continually strengthened. We reported the incident to the ICO in August 2022 and are pleased to see this matter concluded. Our focus remains steadfast on supporting our customers as they navigate the rapidly evolving technology landscape, ensuring they achieve their strategic growth and operational efficiency goals.”