UK ICO Fines Advanced £3.07 Million Over Data Security Failures After Ransomware Attack

The UK’s Information Commissioner’s Office (ICO) has fined Advanced, a leading IT services provider, £3.07 million for failing to protect sensitive data, following a major ransomware attack in 2022. The breach compromised critical systems used by the NHS (the publicly funded healthcare system in England) and other public sector organizations, exposing confidential patient and business information.

The ICO’s investigation found that Advanced failed to implement adequate cybersecurity measures concerning weak access controls and a failure to properly patch vulnerabilities, leaving the system exposed to cyber threats. The attack disrupted NHS services, impacting vital operations such as patient referrals and emergency care systems.

Last year in August, the provisional intention was to fine Advanced £6,09 million. However, since the IT services provider showed proactive engagement and cooperation with the authorities, both parties reached a voluntary settlement of £3,07 million.  

John Edwards, the UK Information Commissioner, emphasized that companies handling sensitive data must uphold the highest security standards to prevent such breaches. “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place,” he said.

Nonetheless, this decision also displays the importance of engagement with supervisory and public authorities in order to take appropriate steps to mitigate the risk to those impacted and eventually reducing initial fines. For companies outside the EU or UK, it is essential to find a GDPR representative which facilitates good communication between all parties. Software provider fined £3m following 2022 ransomware attack | ICO