ICO fines software company Advanced over £6m over data security failings

The Information Commissioner’s Office has levied a provisional fine of more than £6 million to Advanced, a well-known British business software and services provider, for failing to protect the sensitive personal information of more than 80,000 people.

 

The software company, which provides IT and software services to organisations on a national scale, including the NHS and other healthcare providers, suffered a significant ransomware attack in August 2022 that involved threat actors targeting its internal systems and causing disruption to several business software and services.

 

In a statement shared with the BBC, Simon Short, the CEO of Advanced, said that as soon as the cyber attack was detected, the company immediately isolated all health and care environments, ensuring that the issue was contained “to a small number of servers.”

 

The Information Commissioner’s Office, which was notified about the incident, launched an investigation to determine the scope of the same.

 

According to ICO’s investigation which concluded recently, Advanced “failed to implement measures to protect the personal information of 82,946 people, including some sensitive personal information.” The information watchdog has provisionally penalised the company a total of £6.09 million.

 

“The provisional decision to issue a fine relates to a ransomware incident in August 2022, where we have provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication.

 

“The data exfiltrated included phone numbers and medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home,” the ICO explained, adding that it is waiting for Advanced’s response before finalising the penalty.

 

Commenting on the ICO’s decision, John Edwards, UK Information Commissioner, said, “This incident shows just how important it is to prioritise information security. Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations.

 

“For an organisation trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident. Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. 

 

“I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” he added.