British software and IT services provider Advanced Computer Software Group has been fined £3 million ($3.8 million) by the UK Information Commissioner’s Office (ICO) over a 2022 data breach resulting from a ransomware attack.
Advanced, which is operating as OneAdvanced, was targeted in 2022 by the notorious LockBit ransomware group. The attack caused significant disruptions to several of the company’s products and resulted in the information of roughly 80,000 people getting stolen.
The company caters to the UK’s National Health Service and other healthcare providers and in the case of nearly 900 people who had been receiving care at home the compromised information included details on how to enter their home.
Advanced systems were compromised through a customer account that did not have multi-factor authentication (MFA), and the ICO said the company violated data protection laws by failing to fully implement appropriate security measures, including MFA.
The ICO said the settlement is voluntary and Advanced is paying a reduced fine without an appeal.
“What happened over two and a half years ago is wholly regrettable. With threat actors operating with increasing sophistication it is upon all businesses to ensure their cyber posture is continually strengthened. Cyber security remains a primary investment across our business, and we have learned a great deal as an organisation since this attack,” an Advanced spokesperson told SecurityWeek.
“We reported the incident to the ICO in August 2022 and are pleased to see this matter concluded. Our focus remains steadfast on supporting our customers as they navigate the rapidly evolving technology landscape, ensuring they achieve their strategic growth and operational efficiency goals,” they added.
Commenting on the fine, Trevor Dearing, director of critical infrastructure at Illumio, said, “The fine, while significantly reduced, is still substantial. It should serve as a wake-up call to all businesses that they cannot afford to neglect the basics. Containing and limiting the impact of attacks has to be the priority, and security controls like MFA, patch management, and segmentation are non-negotiable. Attackers will get in, but businesses can stop them from reaching critical data and systems if they just do the basics well.”
“It’s also a reminder not to blindly trust suppliers’ security. Recent research from the Ponemon Institute shows that less than half of UK businesses worry about ransomware risks from the supply chain, but the threats are rising. Complacency and overconfidence lead to successful attacks, and in today’s economy, no business can afford to lose money to cybercriminals or regulators,” Dearing told SecurityWeek.
Related: Uber to Appeal €290 Million GDPR Fine
Related: LinkedIn Hit With 310 Million Euro Fine for Data Privacy Violations From Irish Watchdog
Related: Clearview AI Fined $33.7 Million by Dutch Data Protection Watchdog Over ‘Illegal Database’ of Faces
Related: Infosys to Pay $17.5 Million in Settlement Over 2023 Data Breach
