ICO (UK) - Advanced Computer Software Group Limited
| ICO - Advanced Computer Software Group Limited | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 32(1)(b) UK GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 05.08.2022 |
| Decided: | 26.03.2025 |
| Published: | 26.03.2025 |
| Fine: | 3,076,320 GBP |
| Parties: | Advanced Computer Software Group Limited |
| National Case Number/Name: | Advanced Computer Software Group Limited |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | CWA |
A software company was fined £3.07 million (€3.68 million) for failing to implement appropriate security measures in light of a ransomware attack where the personal data of 79,404 data subjects was compromised.
English Summary
Facts
Advanced Computer Software Group Ltd. (data processor) is a software company providing IT and software services to organisations including the NHS in England.
In August 2022, the processor suffered a cyber-attack whereby the threat actor obtained access to their internal systems. This was achieved through the provision of a correct username and password through a customer account, allowing the actor to disable the antivirus measures and obtain domain administrator privileges. The threat actor was able to gain access to 19GB of data. This caused widespread disruption to NHS services.
The processor had to take multiple systems offline in order to re-build them. In May 2023, the final data controller was reconnected.
The personal data of a total of 82,946 individuals was compromised, with some of the data relating to deceased individuals, leaving a total of 79,404 individual’s personal data having been exfiltrated. This number includes the special category data of 41,196 data subjects. The personal data was comprised of demographic and contact information, employment related information, medical and health related information, and other special category information including racial or ethnic origin and religious or philosophical beliefs.
Following report of the disruption to NHS services, the ICO (United Kingdom DPA) contacted the processor and launched their investigation.
Holding
The DPA found that the processor did not have in place a system to perform regular vulnerability scanning in relation to the breached systems. The DPA noted that this practice was in stark contrast to the advice issued by the National Cyber Security Centre (NCSC). The DPA found that the processor had infringed the obligation to adopt appropriate technical and organisational safety measures in Article 32(1)(b) UK GDPR in failing to implement comprehensive and regular vulnerability scanning in their systems.
The investigation also revealed that the attainment of administrator privileges was explicable due to the exploitation of the “ZeroLogon” vulnerability, a vulnerability which had been discovered and widely publicised about two years prior to the incident. Although some work had been performed to address this vulnerability, the DPA found this to be “ad hoc”, with no record of the patch having been implemented and the processor unable to confirm if it had been implemented at the time of the breach. The DPA found that the failure of the processor to fully implement this patch constituted an infringement of Article 32(1)(b) UK GDPR.
The investigation also revealed that the breached server did not have Multi-Factor Authentication (MFA) enabled. The implementation of MFA, the investigation revealed, would have prevented the data breach. The DPA noted the high turnover of the processor, and the scope of personal data they process on their systems (between 25-30 million data subjects). The DPA found that the failure to implement MFA on the breached system constituted an infringement of Article 32(1)(b) UK GDPR.
The DPA, in light of the nature and scope of the breach, categorized the infringement as having a high degree of seriousness. The DPA issued a provisional fine of £6.09 million (€7.28 million) in August 2022, but following acknowledgment by the processor of the fine and agreement to a voluntary settlement, the fine was reduced to £3.07 million (€3.68 million).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
