The UK Information Commissioner’s Office this week has sent an important reminder of the financial and regulatory consequences of cyber attacks.

The Commissioner has indicated he intends to issue a £6.09m fine to Advanced Computer Software Group Ltd., an IT and software services provider to the NHS, which was hit by a ransomware attack in August 2022. During the attack, ransomware group LockBit exfiltrated the personal data (including medical information) of over 82,000 individuals and brought some NHS services to a standstill.

The Commissioner has provisionally found serious failures by Advanced, as data processor, to secure the personal data held on its healthcare systems. Article 32 of the GDPR imposes an obligation on data controllers and processors to implement “appropriate technical and organisation measures to ensure a level of security appropriate to the risk”.

Key contributing factors to the Commissioner’s decision included:

1. The highly sensitive nature of some of the personal data
2. The widespread disruption caused to patients by the incident – NHS 111 was impacted and there was some difficulty accessing patient records
3. The level of distress caused to those individuals affected
4. The risks which disclosure posed to some individuals (including personal security risks where details on how to access private homes were disclosed)

This fine has been proposed even though affected individuals were notified and there was no evidence that the stolen personal data had been misused.

The notice is a timely reminder that, although data processors (like outsourced IT providers) operate on the instruction of their clients (who tend to be the data controller), processors must be careful to fulfil their own security obligations.

The notice re-affirms some of the ICO’s expectations in terms of appropriate technical and organisational measures. The Commissioner issued a public warning that organisations must urgently ensure that external connections are secured with multi-factor authentication. He also reinforced the need for regular vulnerability checking and security patching.

This decision is not final and Advanced has the opportunity to provide detailed representations, which may influence the final decision and the level of fine awarded. There are other examples of organisations successfully reducing the fine issued by the ICO, including British Airways, whose fine was reduced by £183m to £20m in 2020.

For more information about how to respond to a cyber attack, see our blog here.

If you have suffered a cyber attack or you simply want to improve your compliance and preparedness, the Burness Paull cyber team is on hand to work with you to manage the incident and/or improve your cyber resilience going forward.

Related News, Insights & Events