ICO fines Advanced Computer Software Group Ltd £6.09m over GDPR data breach
Insight
The ICO has provisionally fined Advanced Computer Software Group Ltd (Advanced) £6.09m, following a preliminary finding that Advanced failed to implement appropriate measures to protect personal data. This is the first potential fine in the UK GDPR era against a processor.
Advanced provides IT and software services to organisations on a national scale, such as the NHS and other healthcare providers, and manages people’s personal information for these organisations as their data processor.
The ICO’s provisional decision to issue a fine relates to a ransomware incident in August 2022, where Advanced’s health system was infiltrated by hackers who gained access via a customer account that did not have multi-factor authentication (MFA). The personal information of 82,946 people was exfiltrated following the attack, including details of how to gain entry to the homes of 890 people who were receiving care.
The ICO decision is only provisional and the ICO notes that no conclusion can yet be drawn as to whether Advanced has breached data protection law. However, the ICO has consistently messaged the requirement for organisations to employ MFA as part of their duty to implement appropriate technical and organisational security measures.
Whilst controllers have ultimate control over how and why personal information is used, the obligation to implement appropriate security measures applies both to controller and processors. And whilst in this case it is the processor that has been (provisionally) fined in respect of the failure to implement security measures, previous ICO decisions (and this one) have made it clear that there is also a duty on the controller to determine and communicate security requirements to its suppliers and to formalise these requirements within the contract. It is not yet clear whether measures such as MFA were specifically required to be implemented by Advanced.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2025