Article Details

Ransomwared NHS software supplier nabs £3M discount from ICO for good behavior. Data stolen included checklist for medics on how to get into vulnerable people's homes. The UK's data protection watchdog is dishing out a £3.07 million ($3.95 million) fine to Advanced Computer Software Group, whose subsidiary's security failings led to a ransomware attack affecting NHS care. Among the data pilfered by ransomware crooks were the instructions on how to enter their homes, typically meant to be seen only by traveling healthcare professionals... This is nearly half the fine the Information Commissioner's Office provisionally floated in August last year – £6.09 million ($7.8 million) – although it said at the time the final sum would depend on what the company did and said. The ICO said Advanced settled for the reduced fine after acknowledging the watchdog's decision; agreeing to pay up without appealing; playing nicely with the NCSC, NCA, and NHS following the attack; as well as taking "other steps" taken to mitigate related risk. The Russian-speaking LockBit ransomware gang launched an attack on Advanced Health and Care Limited, the IT software and services subsidiary that serves the NHS and other healthcare organizations, in August 2022. A post-mortem revealed LockBit first broke in via a customer account that lacked multi-factor authentication (MFA). The ICO cited the gaps in applying MFA policies across the organization, lack of vulnerability scanning, and inadequate patch management, as the primary facilitators of the attack. As The Register reported at the time, the NHS's non-emergency phone operators on the 111 line were forced to operate via pen and paper, while other healthcare professionals were unable to access patient records. The disruption lingered for weeks and in some cases months. In addition to providing IT services to healthcare organizations, Advanced acted as the processor of people's personal data on behalf of its clients.  In total, 79,404 people's data was stolen. Underscoring the severity of the attack, the ICO stressed 890 of these individuals were vulnerable people who were receiving care at home.  Among the data pilfered by ransomware crooks were the instructions on how to enter their homes, typically meant to be seen only by traveling healthcare professionals. John Edwards, the UK's information commissioner, said the security measures at Advanced's health subsidiary "fell seriously short of what we would expect from an organization processing such a large volume of sensitive information." While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people's sensitive personal information at risk.   "People should never have to think twice about whether their medical records are in safe hands. To use services with confidence, they must be able to trust that every organization coming into contact with their personal information – whether that's using it, sharing it, or storing it on behalf of others – is meeting its legal obligations to protect it.   "With cyber incidents increasing across all sectors, my decision today is a stark reminder that organizations risk becoming the next target without robust security measures in place. I urge all organizations to ensure that every external connection is secured with MFA today to protect the public and their personal information – there is no excuse for leaving any part of your system vulnerable."  The fine for Advanced's subsidiary is the largest in almost two years. In fact, the ICO hasn't fined any organization more than seven figures since TikTok in April 2023 for misusing children's data. Advanced's penalty is the sixth highest in ICO history, trailing (in descending order) British Airways, Marriott, TikTok, Clearview (blocked), and Interserve.