In a landmark decision, the Information Commissioner’s Office ("ICO") has issued a £3.07 million fine to the Advanced Computer Software Group ("ACSG"), following a ransomware attack in 2022. This penalty marks a significant shift in the ICO’s approach to data protection enforcement, as it is the first time the ICO has fined a data processor rather than a data controller. ACSG's fine emphasises that processors are now firmly within the regulatory scope of the ICO’s fining regime and signals growing accountability for all organisations involved in the handling of personal data.
The Ransomware Attack and ICO Investigation
The breach occurred in August 2022 when ACSG's health and care subsidiary was targeted by hackers who exploited a customer account without multi-factor authentication ("MFA") protection. This cyberattack led to widespread disruption in healthcare services, including NHS 111, and left healthcare professionals unable to access critical patient records. As a result, the personal data of 79,404 individuals was exposed, including sensitive information about patients receiving home care and details about how to access their homes.
The ICO’s subsequent investigation revealed significant gaps in ACSG's security protocols. While MFA had been implemented across many systems, some critical components remained unprotected, enabling hackers to exploit vulnerabilities and breach sensitive data. Additionally, the ICO identified weaknesses in vulnerability scanning and patch management, which further exacerbated the risk.
The ICO announced a provisional intention to fine ACSG £6.09 million in August 2024 but later reached a voluntary settlement. The ICO decided to reduce the fine, taking into account steps taken by ACSG to mitigate the risk to those affected, as well as ACSG's engagement with the National Cyber Security Centre, the National Crime Agency and the NHS.
A Shift in Accountability for Data Processors
Historically, the ICO has focused on issuing fines to data controllers. However, this decision increases the regulatory focus on data processors, which are third-party organisations that process personal data on behalf of data controllers. The decision reaffirms that processors are equally responsible for ensuring the security of the personal data they handle.
Both controllers and processors are required to implement appropriate security measures to protect personal data. The ICO’s fine against ACSG underscores that processors are not exempt from these obligations and can face serious consequences if they fail to meet required standards.
This shift in accountability is significant for organisations that provide data processing services. Data processors must take a proactive approach to data security and ensure that robust measures are in place to prevent breaches and protect personal data.
The Importance of Robust Data Security Measures
The ICO’s decision to fine ACSG highlights the critical importance of implementing comprehensive security measures to protect sensitive personal data. John Edwards, the Information Commissioner, emphasised that “people should never have to think twice about whether their medical records are in safe hands.” This sentiment reinforces that organisations, whether data controllers or processors, must have stringent safeguards in place to protect personal information from unauthorised access and breaches.
The ICO’s investigation into ACSG found that the company’s failure to implement full MFA coverage, among other security lapses, directly contributed to the breach. MFA is a fundamental security measure that adds an additional layer of protection by requiring multiple forms of verification before granting access to sensitive systems. The decision underscores the critical need for organisations to ensure that MFA is deployed across all systems, including those involving third-party service providers.
Additionally, organisations should ensure they have comprehensive vulnerability scanning processes in place to detect and address potential weaknesses in their systems. Regular patch management is also essential to address any known vulnerabilities and prevent them from being exploited by cybercriminals.
An Important Reminder
The ICO’s £3.07 million fine against ACSG serves as an important reminder that both data controllers and data processors have an ongoing responsibility to protect personal data. With cyberattacks becoming more frequent and sophisticated, organisations cannot afford to neglect their data security measures. The decision signals that data processors will now face greater scrutiny from the UK regulator, and they must ensure that they meet the same high standards for data protection as data controllers.
This case underscores the need for a proactive approach to cybersecurity. If you have any questions about data processing or would like guidance on safeguarding your data, please contact David Gourlay or another member of MFMac’s Manufacturing, Media & Technology team.
This article was co-written by Sasha Fothergill, Trainee Solicitor in MFMac's Manufacturing, Media & Technology team.
