A provider of IT and software services and processor of personal information has been fined more than £3 million after the loss of around 80,000 records.

Advanced Computer Software Group has been fined £3.07 million by the Information Commissioner’s Office for security failings that put the personal information of 79,404 people at risk after a ransomware incident. That instance saw attackers access certain systems of Advanced’s health and care subsidiary via a customer account that did not have multi-factor authentication.

The ICO’s investigation concluded that Advanced’s health and care subsidiary did not have the appropriate technical and organisational measures in place to keep its health and care systems fully secure prior to the 2022 incident. This included gaps in the deployment of MFA, a lack of comprehensive vulnerability scanning and inadequate patch management.

Gain Entry

The investigation further found that personal information belonging to 79,404 people was taken, including details of how to gain entry into the homes of 890 people who were receiving care at home.

John Edwards, Information Commissioner, said: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

Provisional Decision

The initial intent to fine was announced in August 2024, with a fine set at more than £6 million; however Advanced submitted representations on the provisional decision, which were considered by the ICO, and a reduction in the fine was declared to a voluntary settlement.

These factors included Advanced’s proactive engagement with the NCSC, the National Crime Agency and the NHS in the wake of the attack, and other steps taken to mitigate the risk to those impacted. 

“I welcome the settlement with Advanced which concludes our investigation into this incident, providing regulatory certainty to organisations without the delay and cost of an appeals process,” Edwards said.  

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.