Loading

Blog details

Provisional decision from the ICO to fine a software company following a ransomware attack

Provisional decision from the ICO to fine a software company following a ransomware attack

Following a ransomware attack, the ICO has made a provisional decision to impose a £6 million fine, and urged organisations to secure external connections. 

 

The Information Commissioner’s Office (ICO) released a statement earlier this month, announcing that they have issued a provisional decision to fine Advanced Computer Software Group Ltd (Advanced), a healthcare technology company, for a ransomware incident. The incident in question occurred in August 2022, in which the ICO found that hackers gained initial access to Advanced’s healthcare systems through accounts that lacked multi-factor authentication. This allowed the attackers to exfiltrate personal information belonging to over 82,000 individuals. The data breach impacted critical services like NHS 111, with healthcare staff unable to access patient records. The exfiltrated data included phone numbers, medical records, and details on how to gain entry to the homes of over 800 people receiving care at home. Advanced has notified the impacted individuals and found no evidence of data being published on the dark web.

 

The ICO has made a provision decision to impose a £6 million fine on the technology company.

 

Following an investigation, the ICO has proposed a provisional fine of £6.09 million against Advanced. The ICO’s findings revealed that Advanced failed to implement sufficient safeguards to protect the personal information of 82,946 individuals, some of which was considered sensitive personal data. On a national scale, Advanced provides IT and software services to organisations such as the NHS and other healthcare providers. They act as a data processor for these organizations, handling personal information on their behalf.  It is important to note that the ICO’s findings are provisional, and no conclusion should be drawn at this stage that Advanced has violated data protection laws or that a financial penalty will in fact be imposed. The Commissioner will consider any representations made by Advanced before making a final decision, and the fine amount is subject to change.

 

The Information Commissioner urges all organisations, particularly those handling sensitive health data, to secure external connections with multi-factor authentication.

 

The Information Commissioner has used this opportunity to emphasise the importance of prioritising information security, particularly health data. The ICO has published detailed guidance in an effort to help organisations to protect their systems from ransomware attacks. Data processors, such as Advanced, have the responsibility to implement appropriate technical and organizational measures to safeguard personal information. This includes regularly assessing vulnerabilities, promptly applying security patches, and keeping systems up to date. John Edwards, UK Information Commissioner, said “I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.” 

 

The ICO’s guidance clarifies data processors’ and controllers’ roles, aiding organizations in understanding governance issues.

 

In the realm of data management, data processors operate under the guidance of their clients, the data controllers. These controllers possess ultimate authority over how and why personal information is utilized. Nonetheless, data processors, such as Advanced, retain their own set of responsibilities.  The ICO’s guidance clarifies the roles and obligations of data processors and controllers in ensuring the security of personal data. This guidance is aimed at helping organisations to understand their roles, and outlines the governance issues that are relevant to them. Processors are expected to implement suitable technical and organisational measures to guarantee that personal information remains secure. This entails evaluating and mitigating risks, such as routinely examining vulnerabilities, implementing multi-factor authentication, and updating systems with the most recent security patches. The ICO provides in depth insight into the responsibilities and liabilities of both data processors and controllers in further guidance published by the authority. 

 

Elevate your data protection standards with Aphaia. Schedule a consultation, and embark on a journey toward strengthening security, GDPR compliance, and the peace of mind that comes with knowing your data protection is in expert hands. Contact Aphaia today

 

Prev post
The use of AI chatbots may lead to data breaches
August 15, 2024
Next post
Hong Kong’s AI model framework: the Personal Data (Privacy) Ordinance
August 29, 2024