On March 26, 2025, the UK data protection regulator (the Information Commissioner’s Office (“ICO”)) fined Advanced Computer Software Group Ltd (“Advanced”) £3.07 million (approximately $4 million). In 2022, Advanced suffered a ransomware incident that put the personal data of 79,404 people at risk. In its penalty notice, the ICO found that Advanced failed to implement appropriate technical and organisational measures, as required by UK GDPR. This is one of only a handful of fines imposed by the ICO for failure to implement adequate security measures. The ICO’s penalty notice is available here.
What happened?
Between August 2 and August 4, 2022, an unauthorized third party used valid credentials to gain access to one of Advanced’s systems. This system did not have multi-factor authentication (“MFA”) enabled. Once in this system, the unauthorized third party exploited a known vulnerability in the NETLOGON protocol (known as ZeroLogon CVE-2020-1472) to escalate their privileges to a domain administrator account. The unauthorized third party leveraged the domain administrator account to traverse through Advanced’s environment, disable antivirus software, perform reconnaissance activities, explore cloud storage and file hosting services, download infrastructure management data, exfiltrate data and deploy ransomware. The incident infected 295 endpoints and 19GB of data was exfiltrated.
Who did the incident affect?
The incident affected nine of Advanced’s systems that service healthcare business customers. Approximately 658 business customers (including the UK’s National Health Service) use these systems. To recover from the incident, Advanced took multiple systems offline to re-build from scratch, reconnecting data controllers one by one. The process took until May 2023, resulting in some business customers facing disruption for around 9 months.
What personal data did the incident affect?
Impacted personal data included:
- Demographic and contact information (e.g., name, DOB, address, mobile number, email address).
- Employment-related information (e.g., employer name, job title, employee ID, salary, business contact details).
- Medical / health information (e.g., medical records, medical history, diagnosis, treatments, prescription information, NHS number, dates of treatment).
- Other information including special category data (e.g., national ID number, racial or ethnic origin, religion or philosophical beliefs, nationality).
Key takeaways
Companies operating in high-risk sectors (such as the health sector) need to take particular care. Such companies often process special category data, so must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by processing personal data. This is also the case for companies who service business customers that operate in critical national infrastructure sectors (such as the National Health Service).
The ICO increasingly sees MFA as an essential security measure to mitigate against cyber risks. In the case of Advanced, the ICO did not find that alleged operational challenges associated with the implementation of MFA were compelling enough to warrant non-implementation.
Both at parent company and subsidiary level, security practices should be the same. The ICO criticized the Advanced group, because its parent company had:
- procured a vulnerability scanning application, but that the application had not been used to scan for vulnerabilities at Advanced; and
- undertaken some patching activities in response to ZeroLogon CVE-2020-1472, but the patching was not carried out consistently across subsidiaries to successfully mitigate the risks associated with the known critical vulnerability.
Regular vulnerability scanning is essential to maintain the security of systems. A company should perform vulnerability scans once a month, according to the UK National Cyber Security Centre.
Patch management is necessary to address bugs and/or vulnerabilities in a given system. The ICO views patch management as a necessary technical and organisational measure that should be implemented to ensure a level of security appropriate to the risk posed by processing personal data. Companies should also ensure that their patching records are accurate.
