
The United Kingdom’s Information Commissioner’s Office (ICO) has imposed a £3.07 million fine on Advanced Computer Software Group Ltd (Advanced) for failing to meet personal data protection standards. The investigation revealed that a cyber incident in August 2022 exposed the data of 79,404 individuals, including sensitive information regarding access to the homes of 890 recipients of domiciliary care services.
Advanced, a provider of IT services and software solutions to institutions such as the National Health Service (NHS), processes personal data on behalf of its clients. The breach occurred via a customer account lacking multi-factor authentication (MFA), resulting in widespread disruption to critical services — notably NHS 111 — and preventing medical staff from accessing patient records.
The ICO determined that Advanced’s healthcare and social care division had not implemented adequate technical and organizational safeguards prior to the incident. Specifically, it had failed to fully deploy MFA, did not routinely conduct vulnerability scans, and maintained substandard update management practices.
Information Commissioner John Edwards stated that “the security measures employed by Advanced’s subsidiary fell significantly short of the standards expected of organizations entrusted with such volumes of sensitive data.” He noted that, despite some systems having MFA, the lack of universal implementation enabled attackers to gain unauthorized access, thereby jeopardizing the safety and privacy of tens of thousands of individuals.
Edwards emphasized that users “must have confidence that organizations handling, transferring, or storing their data are upholding their legal obligations to safeguard it.” He further asserted that “there is no excuse for vulnerabilities in systems” and urged all organizations to enforce MFA for external access points.
Initially, in August 2024, the ICO had proposed a fine of £6.09 million. However, after reviewing objections raised by Advanced, the penalty was reduced. Mitigating factors included the company’s cooperation with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA), and the NHS, as well as actions taken to limit the impact of the breach.
As part of a voluntary settlement, Advanced accepted the ICO’s decision and agreed to pay the final fine of £3,076,320 without further appeal.