Process this: ICO issues £6 million provisional fine against processor Advanced Computer Software

Following its initial finding that software provider Advanced Computer Software Group Ltd (Advanced, now trading as OneAdvanced) failed to implement adequate measures to protect personal data, the ICO has published its provisional decision to fine Advanced £6.09 million. Advanced is a data processor on behalf of organisations across the UK including NHS trusts and other major social care bodies. 

What happened to Advanced? 

The provisional decision stems from a ransomware attack suffered by Advanced in August 2022, in which a threat actor accessed their systems through a customer account that did not have multi-factor authentication (MFA) enabled. This resulted in the exfiltration of the personal data of 82,946 individuals, including phone numbers, medical records and details of how to gain access to the homes of 890 patients receiving at-home care. 

The incident caused major disruption to Advanced’s controllers and their ability to deliver patient care, most notably crashing the NHS’s 111 advice service, and caused significant distress to “people who had no choice but to put their trust in health and care organisations”, as emphasised by the Commissioner in his statement announcing the provisional action. He criticised the organisation’s failure to prioritise information security, particularly in the context of processing sensitive special category data, and listed security measures that the ICO expects (and “urges”) organisations to have in place. These include regular vulnerability checks, the latest system security patches and, crucially, multi-factor authentication (MFA) which was lacking in this case.

What has the ICO previously recommended in relation to MFA?

This latest action is consistent with the ICO’s monetary penalty against Tuckers LLP in 2022 (see our Lens blog), in which the ICO expressly considered Tuckers’ failure to implement MFA on its remote access server to be a negligent practice. MFA should have been in place in any event if it was available, in line with the requirements of NCSC Cyber Essentials and NIST 800-63B, and the ICO considered it a comparably low-cost preventative measure, with many MFA solutions widely available. 

In its May 2024 report on current trends and developments in cyber, including on malware and ransomware attacks (see our Lens blog), the ICO emphasised the need for MFA and appropriate controls to mitigate threat actors’ attempts to bypass MFA. According to the NCSC’s MFA guidelines (cited by the ICO on its guidance pages), these controls should include effective user ID verification during account reset processes, to prevent a threat actor gaining access by posing as a legitimate user resetting their password. 

What does this mean for organisations handling personal data?

While the ICO’s track record to date suggests that its final decision may differ significantly from its provisional one (see the ICO’s final decision in relation to Snap, as reported in our Lens blog), there are still key learnings for organisations at this stage:

• This is notably the ICO’s first potential fine against a processor in the UK GDPR context. It is arguably an acknowledgement that the security compromise of a major processor that acts for multiple controllers can have far-reaching ramifications, both nationally and internationally, in the public and private sectors. This has been more recently seen in an incident involving pathology lab Synnovis (resulting in disruption to NHS blood testing and services) and the widely reported Capita incident. It is this potential supply chain contagion that the proposed Cyber Security and Resilience Bill is aimed at curtailing in certain critical sectors (see our Lens blog).
• This is another example of the ICO’s clear and consistent messaging in relation to the need for organisations to implement MFA as part of their suite of technical and organisational security measures. Organisations acting as processors are subject to explicit security obligations under the UK GDPR, and this serves as a timely reminder of the potential for direct regulatory enforcement if they fail to prioritise robust security measures. This is of particular importance where a threat actor’s unauthorised access and exfiltration could leave data subjects at serious risk, which continues to be a central driver for ICO enforcement action.