Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Implement MFA or Risk Non-Compliance With GDPR

The UK Information Commissioner’s Office announced its intention to fine Advanced Computer Software Group £6.09 million.

The UK Information Commissioner’s Office (ICO, the data protection and information rights regulator) today announced its intention to fine the Advanced Computer Software Group £6.09 million.

The fine relates to an August 2022 ransomware attack against the National Health Service (NHS). Details of 82,946 patients including personal details were exfiltrated, and the 111 (non-emergency) call service disrupted. The stolen details included information on how to gain access to the homes of 890 people being treated at home.

The ICO’s findings are provisional, and no final decision has been made – so the fine can yet be increased, decreased or dismissed. So far, the investigation has concluded that attackers accessed several Advanced health and care systems via a customer account that did not have multi-factor authentication.

Publishing an ‘intention to fine’ serves multiple purposes. One of these is to act as a warning to other organizations. In this case, John Edwards, the UK Information Commissioner, commented: “For an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security… We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.”

The implication is very clear. If you wish to avoid non-compliance, the very least that is required is implementation of MFA, regular vulnerability scans, and an effective patching regime.

MFA is given particular weight. “I urge all organizations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication,” said Edwards.

Related: Russian Cyber Gang Thought to Be Behind a Ransomware Attack That Hit London Hospitals

Related: Investigation of Russian Hack on London Hospitals May Take Weeks

Advertisement. Scroll to continue reading.
Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights