Advanced Computer Software Group, a software supplier, may face a fine of £6.09m for failing to implement adequate cybersecurity measures to protect the personal data of 82,946 individuals. The data was stolen by the LockBit ransomware gang following an attack on the company’s systems in August 2022.
The cyber attack on Advanced caused significant disruption to NHS trusts and other social care bodies that used its Caresys, Staffplan, and Adastra services. The Adastra service, in particular, experienced the biggest impact, affecting the NHS’s 111 advice service.
The LockBit gang gained access to Advanced’s network using legitimate credentials on a third-party account that lacked multifactor authentication (MFA). They were able to move laterally through the network, exfiltrate sensitive data, and execute their ransomware attack.
Information Commissioner John Edwards emphasized the importance of information security and the impact of losing control over sensitive personal information. He highlighted the need for organizations to prioritize cybersecurity measures such as regular vulnerability checks, MFA implementation, and system patching.
Although the ICO’s findings are provisional, Advanced has the opportunity to present their case before a final decision is made. Edwards urged organizations, especially those handling sensitive health data, to secure their systems and implement MFA policies.
Advanced, now operating as OneAdvanced, cooperated with the ICO’s investigation and acknowledged the regulator’s findings. They confirmed that steps were taken to isolate systems after detecting cyber activity in 2022 and that customer data was not publicly exposed.
The organization expressed regret for the incident and highlighted their ongoing commitment to cybersecurity. They have invested in remediation measures and continue to enhance their security protocols to prevent future cyber threats.
According to Advanced’s financial records, they spent £18.3m on remediation measures post-attack and an additional £3m in the following financial year.
