ICO fines British IT company millions over ransomware attack
The Information Commissioner’s Office (ICO) has provisionally decided to impose a £6 million fine on the 'Advanced Computer Software Group' for failing to protect sensitive personal information of its customers.
In August 2022, a ransomware incident took place at the IT supplier. Hackers were able to access several health and care systems via a compromised customer account that wasn’t protected with multi-factor authentication.
Once the attackers gained access to the company’s network, they stole the personal information of 82,946 people. The exfiltrated information included full names, phone numbers, and medical records, as well as detailed information on how to gain entry to the homes of 890 people who received care at home.
People who had been affected by the data breach were notified of the incident. Advanced Computer Software Group didn’t find any evidence of personal information being sold or published on the dark web.
The ICO launched an investigation after the incident came to light. The regulator's initial findings show that the provider failed to protect its clients' personal information. Therefore, the Data Protection Authority (DPA) fined the company £6 million.
The Commissioner’s findings are provisional, meaning that the DPA currently hasn’t established whether data protection laws have been violated. The fine is, therefore, provisionary.
“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches,” UK Information Commissioner John Edwards says in a statement.
Advanced Computer Software Group provides IT and software services to healthcare providers and handles people’s personal information on behalf of these organizations as their data processor. Data processors have to implement appropriate technical and organizational security measures to keep the data they store safe from hackers, especially when it concerns sensitive personal information.
Therefore, the ICO urges all organizations to secure external connections with multi-factor authentication.
Your email address will not be published. Required fields are marked