The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has confirmed that software provider Advanced will pay a £3 million ($3.8 million) penalty following a catastrophic 2022 ransomware attack. The fine stems from the company’s failure to implement essential security measures that could have prevented the incident.
Security Failings and Regulatory Action
The ICO determined that Advanced violated data protection laws by neglecting to fully deploy multi-factor authentication (MFA) across its systems. This critical oversight provided a gateway for cybercriminals to exploit stolen credentials, ultimately leading to the theft of sensitive personal data belonging to tens of thousands of individuals throughout the United Kingdom.
The final penalty is significantly lower than the initial figure proposed by the regulator. In August 2024, the ICO had originally sought a fine exceeding £6 million, citing severe security negligence.
Impact on NHS Operations
The breach, executed by the LockBit ransomware group, triggered massive operational disruptions across the National Health Service (NHS). Because Advanced manages key patient data systems on behalf of the health service, the attack caused widespread outages that hampered medical services and compromised critical infrastructure.
Regarding the resolution of the case, the ICO confirmed the enforcement action this Wednesday, highlighting the necessity for robust digital hygiene among vendors handling public sector data.
Company Response
In an official statement, Advanced confirmed that it has reached a settlement regarding the investigation. The company declined to provide a spokesperson for further comment on the incident or the resulting financial penalty.