121/68 Friday, March 28, 2025
The UK Information Commissioner’s Office (ICO) has fined Advanced Computer Software Group Ltd £3.07 million (approximately 135 million baht) following a ransomware attack in 2022 that resulted in the personal data of 79,404 individuals, including NHS patients, being compromised. The breach severely impacted several healthcare services, including the NHS 111 emergency helpline. The attack targeted Advanced, a managed service provider (MSP) for the UK’s healthcare sector.
An investigation revealed that the LockBit ransomware group was behind the attack. The attackers gained access by exploiting credentials via Remote Desktop Protocol (RDP) on a Citrix server running the Staffplan software and later moved laterally across the network. Although Advanced received support from cybersecurity experts at Mandiant and Microsoft, the data recovery process took significantly longer than expected. The ICO determined that Advanced had failed to adequately secure its systems, highlighting weaknesses in vulnerability scanning, patch management, and the lack of comprehensive multi-factor authentication (MFA).
This fine marks the first time the ICO has directly penalized a data processor, rather than a data controller—unlike previous high-profile cases such as British Airways (£20 million fine in 2018) and Marriott (£18.4 million fine for a 2014 breach). Although the penalty was reduced from an initial proposed £6.09 million in August 2024, the ICO emphasized the importance of strong data protection in an era of increasingly sophisticated cyber threats.
