United Kingdom: Information Commissioner's Office issued final decision to fine GBP 3.07 million Advanced Computer Software Group for data protection failures

On 26 March 2025, the UK Information Commissioner's Office (ICO) imposed a monetary penalty of GBP 3.07 million on Advanced Computer Software Group Limited for violations of the United Kingdom General Data Protection Regulation (UK GDPR). The enforcement action stemmed from a ransomware incident in August 2022 that compromised personal data relating to 79'404 individuals, including medical records and home access information for 890 care recipients. The ICO's investigation identified deficiencies in Advanced Computer Software Group's implementation of multi-factor authentication, vulnerability scanning, and patch management systems. The ICO initially proposed a penalty of GBP 6.09 million in August 2024, which was subsequently reduced following Advanced Computer Software Group's cooperation with the National Cyber Security Centre (NCSC), National Crime Agency (NCA) and the National Health Service (NHS). Advanced Computer Software Group accepted the final penalty amount and waived its right of appeal.