ICO fines software services provider £3.07 million following ransomware attack

In March 2025, the Information Commissioner's Office (“ICO”) fined Advanced Computer Software Group Ltd £3.07 million following a ransomware attack in August 2022. This incident serves as a critical reminder for organisations to implement robust security measures to protect sensitive personal information.

Advanced Computer Software Group Ltd, a provider of IT and software services to organisations including the NHS, faced a significant cyber attack when hackers accessed their health and care subsidiary's systems via a customer account lacking multi-factor authentication (“MFA”). The breach affected 79,404 individuals, including vulnerable patients receiving home care.

Key points of the cyber attack

• Lack of comprehensive MFA coverage: Despite having MFA installed across many systems, gaps in coverage allowed hackers to gain access
• Inadequate vulnerability scanning: The health and care subsidiary did not perform thorough vulnerability scans, leaving systems exposed
• Poor patch management: Failure to keep systems updated with the latest security patches contributed to the breach
• Impact on services: The ransomware attack disrupted critical services, including NHS 111, and prevented healthcare staff from accessing patient records
• Sensitive data compromised: Stolen data included sensitive personal information and details on how to access the homes of patients receiving care

Next steps

Organisations must take proactive steps to strengthen their data protection measures:

• Implement comprehensive MFA: Ensure all external connections are secured with MFA to prevent unauthorised access
• Regularly scan for vulnerabilities: Conduct thorough and regular vulnerability scans to identify and address security gaps
• Maintain up-to-date systems: Keep systems updated with the latest security patches to protect against known threats
• Engage with cybersecurity authorities: Collaborate with cybersecurity authorities to stay informed about emerging threats and best practices

Our views

This incident underscores the critical importance of robust security measures. Organisations must proactively assess and mitigate risks to safeguard sensitive personal information and maintain public trust. The Advanced Computer Software Group Ltd ransomware attack serves as a stark reminder that complacency in cybersecurity can have severe consequences, and it highlights the need for comprehensive data protection measures.

The ICO's decision to impose a substantial fine sends a clear message that organisations must prioritise robust security measures or face significant penalties. This proactive approach by the ICO aims to deter complacency and encourage continuous improvement in cybersecurity practices.

It is crucial to ensure that all systems are secured with comprehensive MFA, regular vulnerability scans, and up-to-date patches. The ICO's actions indicate that even partial compliance with security measures is insufficient; complete and thorough implementation is necessary to avoid breaches and penalties.

This case is also significant because it is the first fine that the ICO has imposed on a processor under UK GDPR. Since the inception of GDPR in 2018, the ICO had focused its regulatory attention on controllers. The ICO’s action in this case is a reminder that processors have their own obligations under UK GDPR, independent of their controllers. The ICO appears willing to regulate processors’ compliance with those obligations more actively in future, especially in relation to security measures they apply to data.

The financial penalty imposed by this fine, although reduced, still represents a significant cost. Organisations must recognise that failing to protect sensitive information can lead to substantial financial losses, legal repercussions, and operational disruptions.