Advanced Computer Software Group Fine - £3m - GDPR - ICO - Mar-25

QUICK FACTS

• Fine Amount: £3,076,320

• Date: 26 March 2025

• Primary Violations: GDPR Breaches

  • Infringement of Article 32(1) UK GDPR for failure to implement appropriate technical and organisational security measures
    

Overview

The UK’s Information Commissioner’s Office (ICO) has issued a penalty of £3,076,320 to Advanced Computer Software Group Limited, Advanced Health and Care Limited, and their parent company, Aston Midco Limited (collectively "Advanced").

The fine was levied for a serious infringement of Article 32(1) of the UK GDPR, which mandates appropriate technical and organisational measures to ensure data security.

The penalty follows a ransomware attack in August 2022 that resulted in a significant data breach, exposing the personal and special category data of tens of thousands of individuals and disrupting critical healthcare services, including NHS 111.

The ICO found that the incident stemmed from fundamental cybersecurity failings, including;

• Inadequate vulnerability management
• Poor patch management
• Failure to implement multi-factor authentication (MFA).

Details of the CASE

The ICO’s investigation found that Advanced failed to implement appropriate security measures between 25 May 2018 and 22 August 2022. This failure created vulnerabilities that were exploited by a threat actor during a ransomware attack from 2-4 August 2022.

The attacker first gained access to the Advanced Health and Care (AHC) IT environment through a Citrix system that required only a username and password. From there, the attacker exploited a critical and widely publicised vulnerability known as "ZeroLogon" to escalate their privileges to a domain administrator account. This allowed them to move through Advanced’s domains, disable security software, and ultimately exfiltrate approximately 19GB of data before deploying ransomware.

The breach resulted in the exfiltration of personal data belonging to 79,404 individuals, including highly sensitive special category data for 41,196 of them. This data included medical records, diagnoses, NHS numbers, and, for 890 individuals, information on how to access their homes. The incident caused significant disruption to 658 data controller customers, including NHS services, with system outages lasting from 18 to 284 days.

The ICO determined that Advanced's security measures were negligent and fell short of industry standards. The firm was aware of the risks but failed to act appropriately.

SPECIFICS

• Advanced had identified the lack of mature vulnerability scanning as the highest priority security risk to its IT infrastructure. Despite procuring vulnerability scanning tools, the company failed to use them to conduct regular scans or policy compliance checks within the AHC environment prior to the incident. This was contrary to the company's own policies.
• The "ZeroLogon" vulnerability exploited by the attacker was critical, publicly disclosed in 2020, and had patches available from Microsoft in August 2020 and February 2021. The UK's National Cyber Security Centre (NCSC) had also issued an alert about it. However, Advanced's approach to patching was described as "ad hoc", and the company was unable to confirm whether the critical patch had been applied to the server that was compromised.
• Multi-Factor Authentication (MFA) was not implemented on the public-facing Citrix environment that served as the attacker's entry point. While MFA was in place for some applications, an estimated 5% of personal data in the AHC environment was not protected by it. Advanced had developed a working MFA solution prior to the incident but had not rolled it out, citing a "perception" that customers would be unwilling to implement it.

fines and Penalties

Total Penalty: £3,076,320

The initial penalty proposed by the ICO was £6,090,000. The final amount includes a 20% reduction in recognition of Advanced's cooperation and its agreement not to appeal the penalty notice, which allows for regulatory certainty and saves public resources.

Key quotes

• "The Commissioner's view is that the Incident uncovered serious failings in AHC's application of fundamental cyber security principles, and compliance with its own security standards."
• "The Commissioner considers that the deployment of MFA would likely have impeded the Threat Actor's ability to access Citrix in the first instance and therefore would have likely prevented the subsequent breaking out of Citrix, as well as the ultimate exfiltration and encryption of personal and special category data."
• "The Commissioner considers Advanced's size, experience in personal data processing and the volume and nature of personal data it processed, means that it has a higher degree of responsibility for these basic security failings given higher standards of security are expected of it than would be expected of a much smaller organisation."

Sources: 

• ICO - Penalty Notice - DPP Law Ltd.