Hot off the heels of its notice of intent to fine DNA company 23andMe £4.59m following a data breach, the ICO has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings identified following a ransomware attack. The attack hit the headlines when it brought some key NHS services to a stop and led to the personal data of nearly 80,000 people being exfiltrated.
Here we set out some key takeaways from the ICO’s monetary penalty notice (MPN). For more information on the facts around the ransomware attack itself, see our previous blog.
Key takeaways from the ICO MPN:
- Consider who is really responsible (and remember processors can be fined):
Advanced, an IT service provider, is the first data processor to be fined by the ICO. While data processors do not have their own duty to notify a data breach under the GDPR, they do have their own security obligations. The ICO only looked at Advanced’s obligations in the context of its role as a data processor. It was found to have breached these obligations. The fact that Advanced’s clients, who were data controllers, also had to take appropriate security measures to protect their personal data did not reduce Advanced’s responsibility as a data processor.
- Will all processors be held to the same standard?
The ICO cited a number of aggravating factors in this case. These included Advanced’s size, the number of customers it processed data for and the volume and nature of the personal data it processed. With approx. 80,000 people’s personal data impacted (including over 40,000 people’s special category data), it’s perhaps unsurprising that the ICO examined whether Advanced had security measures in place that were appropriate to the risk of harm. Impacted data included health data, national insurance numbers and details on how to get into people’s homes.
- What is security best practice?
The MPN discussed how Advanced fell short of “fundamental cyber security principles” and “industry wide standards” which are “best practice”. But what do these cover? In this case Advanced’s deficiencies related to:- Vulnerability scanning – there was no evidence that regular scanning took place despite this being a known risk area. Both the ICO and NCSC recommends scanning is done at least monthly. Relying on scans carried out as part of pen tests is not sufficient.
- Adhoc patch management – there was no evidence the ZeroLogon vulnerability had been patched on the impacted server, despite both the NCSC and NIST previously issuing warnings about this vulnerability The ICO also commented that Advanced failed to meet “industry wide standards” of vulnerability management (scanning and patching). These are covered in standards such as ISO27002: 2017 and NCSC cyber essential v3.0.
- Multi Factor Authentication (MFA) – while 95% of Advanced’s records were protected by MFA, it was not used in one of their public facing environments at the time of incident. MFA is recommended (where possible) in ICO guidance and has been referenced in previous ICO fines. The MPN also mentions how it is required for a Cyber Essentials certification. Interestingly, Advanced’s suggestion that customer reticence to accept MFA solutions seemed to cut very little ice with the ICO. Despite these deficiencies, the ICO did note that Advanced managed some things well. For example, it quickly appointed technical experts to help both contain the incident and rebuild systems and liaised with the NCSC.
- Vulnerability scanning – there was no evidence that regular scanning took place despite this being a known risk area. Both the ICO and NCSC recommends scanning is done at least monthly. Relying on scans carried out as part of pen tests is not sufficient.
- Provisional fines can be negotiated:
The provisional fine for Advanced had been over £6 million. The subsequent representations and settlement with the ICO nearly cut the fine in half. However, part of that settlement included an agreement not to appeal. This is not the first time the ICO has issued a lower fine following negotiations. It is, however, the first time we have seen them enter into a settlement agreement of this kind – perhaps not surprising given the number of fines that are overturned in the courts.
- Processor breaches are complex:
While not discussed in detail in the MPN, the case is a reminder of how challenging it is for processors to manage a breach which involves multiple customers. In this case, 16 controller customers were directly impacted by the data breach. 658 were impacted when products were unavailable as a result of containment action taken by Advanced to limit the impact. Both processors and controller customers should therefore have cyber preparedness plans that can manage such an event.
Comment:
Slaughter and May cyber partner Richard Jeens said “this case illustrates the benefits of engagement – with the NCSC, ICO and with relevant customers – but also the standards to which processors (and controllers) will be held if they deal with more sensitive data”
David Cannings, Director in PWC's Cyber & Forensics team said: "The recent fine imposed by the ICO serves as a stark reminder of the critical importance of implementing robust technical measures to safeguard data. In today's digital landscape, practices such as Multi-Factor Authentication (MFA) and regular patching are not just recommended but viewed by the regulator as essential. These measures play a vital role in protecting sensitive information from unauthorised access and ensuring that data is processed securely."