The UK’s Information Commissioner’s Office (ICO) has today fined Advanced Computer Software Group – now known as OneAdvanced – £3.07m for cyber security failings that exacerbated the impact of a LockBit ransomware attack against the organisation.
The cyber attack, which occurred in August 2022, saw services provided by Advanced customers – including the NHS and other healthcare providers – extensively disrupted when they lost access to its Adastra clinical patient management platform.
One of the bodies that relied on Adastra at the time was the frontline 111 service. Other parts of the health service affected included ambulance dispatch, emergency prescriptions, out-of-hours patient services, and referrals.
The ICO said the attack, which began through a customer account that did not have multifactor authentication (MFA) enabled, saw the data of 79,404 people stolen. Among this data were details of how to gain access to the properties of 890 individuals who were receiving care at home.
The regulator concluded that Advanced’s health and care subsidiary did not have appropriate technical and organisational measures in place to guarantee the security of its IT systems, highlighting gaps not just in MFA, but also in vulnerability scanning and patch management.
“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information. While Advanced had installed multifactor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk,” said information commissioner John Edwards.
“People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organisation coming into contact with their personal information – whether that’s using it, sharing it or storing it on behalf of others – is meeting its legal obligations to protect it,” added Edwards.
I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information – there is no excuse for leaving any part of your system vulnerable John Edwards, information commissioner
“With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information – there is no excuse for leaving any part of your system vulnerable,” he said.
The fine – which is about half the amount initially proposed – marks a first for the ICO, as it has never before levied such a penalty on a data processor under UK data protection law.
Its significant reduction is the result of a number of factors, including representations made by Advanced on the progress it has made, and the organisation’s proactive engagement throughout the incident, which included full cooperation with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the NHS.
The ICO and Advanced have now reached a voluntary settlement, by which Advanced acknowledges the decision to reduce the fine and will pay a final settlement without appeal.
Edwards said this settlement was welcome and provided regulatory certainty without needing to incur more costs and delays associated with an appeal.
The ICO warned others that they must take more proactive steps to assess and mitigate the well-known risk factors that enable ransomware gangs like LockBit to operate their criminal enterprises with ease. These include implementing MFA by default and without exception, and doing more work to assess vulnerabilities and fix them in a more timely manner.
An Advanced spokesperson said: “What happened over two-and-a-half years ago is wholly regrettable. With threat actors operating with increasing sophistication, it is upon all businesses to ensure their cyber posture is continually strengthened. Cyber security remains a primary investment across our business, and we have learned a great deal as an organisation since this attack.
“We reported the incident to the ICO in August 2022 and are pleased to see this matter concluded. Our focus remains steadfast on supporting our customers as they navigate the rapidly evolving technology landscape, ensuring they achieve their strategic growth and operational efficiency goals.”
Sign Up For Daily Newsletter
Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
