On March 27, 2025, the Information Commissioner’s Office (ICO) fined Advanced Computer Software Group Ltd £3.07 million following a serious ransomware attack in 2022 (see full PDF). The incident, which compromised sensitive healthcare data and disrupted NHS services, was a result of insufficient cybersecurity measures at a health and care subsidiary of Advanced Computer Software Group.
Background of the incident
Advanced Computer Software Group provides IT and software services to national institutions like the NHS and other healthcare providers, managing personal data on their behalf.
In August 2022, hackers gained access to certain systems through a customer account that lacked multi-factor authentication (MFA). The attack was widely reported at the time, causing major disruptions to critical services such as NHS 111 and preventing some healthcare staff from accessing vital patient records.
According to the ICO’s investigation, the breach exposed the personal data of approximately 79,404 individuals, including contact information, medical records, and care access details.
ICO fines explained
Our data protection experts regularly analyse fines and other sanctions imposed by the Information Commissioner’s Office (ICO).
ICO’s findings
The ICO’s investigation concluded that the service provider violated Articles 5(1)(f) and 32 of the UK General Data Protection Regulation (UK GDPR) by failing to ensure appropriate security of personal data. The following security deficiencies were identified:
- Incomplete deployment of multi-factor authentication (MFA) across systems – a security method that requires users to provide at least two independent pieces of evidence to prove their identity.
- Lack of comprehensive vulnerability scanning.
- Inadequate patch management processes.
First processor fine under the UK GDPR
While the ICO initially proposed a £6.09 million penalty, the fine was ultimately reduced to £3.07 million after considering Advanced Computer Software Group’s cooperation with the ICO, the NHS, the National Cyber Security Centre (NCSC), and the National Crime Agency (NCA). The company also took steps to mitigate risks and address security shortcomings after the attack.
The decision marks the first time a fine has been proposed under the UK GDPR against a data processor, signalling a potential shift in the UK’s data protection enforcement, which until now has focused solely on controllers. The fine also aligns with a growing trend across the EU, where data protection authorities have increasingly issued fines against processors for security-related violations.
Implications for organisations
This case underscores the urgent need for organisations to critically assess and strengthen their data protection strategies – highlighting, in particular, the vital importance of robust security measures when handling sensitive personal data in sectors like healthcare.
Key takeaways include:
Implementing strong security measures
In this case the vulnerability which led to the cyberattack was widely known since 2020. A mature patch validation process should be in place to close security gaps and optimise the performance of software and devices. It involves identifying, obtaining, testing, and installing patches to ensure that systems are up to date and protected against known vulnerabilities.
Moreover, Advanced Computer Software Group had not fully implemented multi-factor authentication (MFA) across the affected environment at the time of the incident, although it was in place for certain applications and an MFA solution had been developed. The company claimed that customer reluctance to adopt MFA was a factor, but the ICO dismissed this argument, especially considering the sensitive data the company was handling.
Regular security assessments
The ICO found while Advanced Computer Software Group had taken steps to conduct vulnerability scanning, it was not done adequately across its entire IT infrastructure, especially in the environment used by the attackers. The company failed to perform scans regularly enough. The National Cyber Security Centre (NCSC) recommends monthly scans or after critical changes. Companies should also bear in mind that penetration testing does not replace the need for ongoing scans.
Thus, companies should conduct periodic evaluations of security infrastructure to identify and mitigate vulnerabilities.
Compliance with data protection laws
Companies are well advised to conduct thorough audits not only in the company but also on any sub-processor they authorise to handle personal data. The appointment of a sub-processor must be formalised through a contract that guarantees the same level of data protection as the contract between the controller and processor.
Data processors must be aware that they must meet the same security standards required of data controllers.
Organisations, particularly those processing sensitive personal data, must prioritise information security to protect individuals’ privacy and maintain trust.
