The Information Commissioner’s Office (ICO) has made a provisional decision to fine a UK-based software provider £6 million after a 2022 ransomware attack, citing serious failings in the company’s data protection measures.
The decision is a significant example of how the ICO is taking action to hold businesses accountable for the protection of personal data in the digital age.
A brief overview of the incident
In 2022, a major ransomware attack targeted the software provider, affecting its IT infrastructure and compromising the personal data of thousands of individuals. Ransomware is a type of malware that locks users out of their systems or encrypts files until a ransom is paid. These attacks can have devastating consequences, especially when sensitive data is involved.
The software provider in question, Advanced Computer Software Group Ltd, which is a provider to large organisations, including the NHS, failed to put adequate security measures in place to prevent the attack or respond effectively once the breach occurred. This led to the exposure of a vast amount of personal data, including financial and sensitive information (such as instructions as to how to access 890 people’s homes that were receiving care) that could be used for identity theft or other malicious activities.
Why the ICO is taking action
The ICO, the UK’s independent regulator for data privacy and protection, holds organisations responsible for complying with the General Data Protection Regulation/Data Protection Act 2018 (UK GDPR). The UK GDPR mandates that businesses must implement strong technical and organisational measures to protect personal data from breaches, such as ransomware attacks.
In this case, the ICO found that the software provider did not take appropriate steps to safeguard the data it was responsible for. John Edwards, UK Information Commissioner, stated:
“This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.
Not only was personal information compromised, but we have also seen reports that this incident caused disruption to some health services, disrupting their ability to deliver patient care. A sector already under pressure was put under further strain due to this incident.
For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.
I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”
A £6 million fine: a signal of seriousness
The ICO’s provisional decision to impose a £6 million fine is a large penalty for a data breach involving ransomware. This fine reflects the serious nature of the security failings and the impact of the breach on the individuals whose data was compromised.
Whilst the decision is still provisional, meaning the company will have the opportunity to respond and present evidence before the final penalty is confirmed, the ICO has demonstrated that it intends to enforce UK GDPR strictly. This fine also serves as a reminder to other organisations to prioritise cybersecurity and data protection.
Lessons for businesses: strengthen data security now
This case highlights the growing threat posed by ransomware attacks and the consequences for companies that do not take data protection seriously. The ICO’s decision underscores the need for businesses to:
1. Invest in robust cybersecurity measures: Adequate firewalls, encryption, and anti-virus software are just the basics. Companies should constantly evaluate their security infrastructure to ensure it meets the latest standards.
2. Regularly conduct security audits: Identifying vulnerabilities early can prevent breaches. Regular risk assessments and audits help in this regard.
3. Prepare for breaches: Even the best security systems can be breached. Having an incident response plan in place is essential to minimise damage and recover quickly.
4. Train employees on cybersecurity: Ransomware often exploits human error. Training staff to recognise phishing attempts, suspicious links, and other red flags can prevent many attacks from being successful.
How can we help?
Kevin Modiri is a Partner in our expert Dispute Resolution team, specialising in civil disputes, insolvency, inheritance disputes, data breach claims and defamation claims.
If you have any questions concerning the subjects discussed in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us