UK Fines IT Company for Security Failures That Exposed Personal Data
The U.K. Information Commissioner's Office Thursday slapped IT provider Advanced Computer Software Group Ltd with a $3.9 million fine for failing to take appropriate security measures to prevent a 2022 ransomware attack. The security failure put the personal data of more than 79,000 people at risk, the watchdog said.
Sign up for a free preview to unlock the rest of this article
Advanced provides IT and software services to organizations, including the National Health Service (NHS) and other healthcare providers, and processes people’s personal information on behalf of those organizations, the ICO said.
The fine relates to a ransomware incident in August 2022 when hackers accessed Advanced’s health and care subsidiary via a customer account that did not have multifactor authentication, the ICO said. The cyberattack led to disruptions to critical NHS services and left some healthcare staff unable to access patient records, it said: Among the information hackers took were details of how to gain entry into the homes of nearly 900 people who were receiving home health care.
The ICO investigation found that Advanced's health and care subsidiary lacked the appropriate technical and organizational measures to keep systems fully secure before the 2022 incident. It found gaps in the deployment of multifactor authentication, a lack of comprehensive vulnerability scanning and inadequate patch management, the watchdog noted.
The ICO announced last August that it intended to fine Advanced more than $7.8 million, but reduced that amount after Advanced engaged with it. Advanced will now pay the reduced fine without appealing, the regulator said.