United Kingdom: Issued ICO’s provisional decision to fine software provider Advanced for data protection failures

On 7 August 2024, the UK Information Commissioner's Office provisionally decided to fine Advanced Computer Software Group Ltd GBP 6.09m due to failures in implementing adequate measures to protect the personal information of 82'946 individuals. The decision follows an incident in August 2022, where a ransomware attack led to the exfiltration of sensitive data, including medical records and personal contact details, through a customer account lacking multi-factor authentication. The attack notably disrupted NHS services. The ICO noted the importance of information security, especially for organisations handling sensitive health data, and outlined expectations for such entities to implement robust security measures such as multi-factor authentication and regular system updates.