Advanced Fined £3.07M for NHS Ransomware Attack, Adastra Disruptions, and Data Exposure

The UK Information Commissioner's Office (ICO) has fined Advanced Computer Software Group £3.07 million for security failings that led to a ransomware attack in August 2022. The attack, attributed to the LockBit ransomware group, disrupted critical NHS services, including NHS 111, and exposed the sensitive personal data of 79,404 individuals. The breach occurred due to inadequate security measures, including insufficient multi-factor authentication (MFA) coverage, poor vulnerability scanning, and inadequate patch management. Among the stolen data were details on how to access the homes of 890 individuals receiving care at home. The attack also caused significant disruptions to the Adastra platform, which supports NHS operations. The ICO initially proposed a fine of £6.09 million but reduced it due to Advanced's proactive engagement with the National Cyber Security Centre, National Crime Agency, and NHS following the attack. Advanced received assistance from Mandiant and Microsoft during the recovery process and has since implemented measures to address the identified vulnerabilities. This fine marks the first time the ICO has penalized a data processor under UK data protection law.