On 26 March 2025, the UK’s Information Commissioner’s Office (ICO) fined Advanced Computer Software Group Ltd (Advanced) a significant amount for failing to implement adequate security measures. The incident highlights the importance of implementing robust security measures, especially for companies processing sensitive personal data.

What Happened?

The incident began in August 2022, when an unauthorized third party gained access to one of Advanced’s systems using valid credentials. The system did not have multi-factor authentication (MFA) enabled, allowing the intruder to escalate their privileges to a domain administrator account. This vulnerability was later identified as the ZeroLogon CVE-2020-1472 exploit.

• The unauthorized third party exploited this vulnerability to traverse through Advanced’s environment, disable antivirus software, and exfiltrate data.
• The incident infected 295 endpoints and resulted in the loss of 19GB of data.

Who Was Affected?

The incident affected nine of Advanced’s systems that service healthcare business customers, including the UK’s National Health Service (NHS). Approximately 658 business customers use these systems. To recover from the incident, Advanced took multiple systems offline to rebuild from scratch, reconnecting data controllers one by one. The process took until May 2023, resulting in some business customers facing disruption for around 9 months.

What Personal Data Was Affected?

The incident affected the personal data of 79,404 individuals, including:

1. Demographic and contact information (e.g., name, date of birth, address, mobile number, email address).
2. Employment-related information (e.g., employer name, job title, employee ID, salary, business contact details).
3. Medical/health information (e.g., medical records, medical history, diagnosis, treatments, prescription information, NHS number, dates of treatment).
4. Other information including special category data (e.g., national ID number, racial or ethnic origin, religion or philosophical beliefs, nationality).

Key Takeaways

The ICO’s penalty notice highlights the importance of implementing adequate security measures, especially for companies processing sensitive personal data. The incident demonstrates the need for companies in high-risk sectors (such as healthcare) to take particular care.

• Companies operating in high-risk sectors must implement technical and organisational measures to ensure a level of security appropriate to the risk posed by processing personal data.
• The ICO increasingly sees multi-factor authentication (MFA) as an essential security measure to mitigate against cyber risks.
• Security practices should be the same across parent and subsidiary levels to ensure a unified approach to security.

ICO Criticisms

The ICO criticized Advanced’s parent company for not implementing a vulnerability scanning application, despite procuring one. The company also failed to consistently patch vulnerabilities across its subsidiaries.

“The ICO views patch management as a necessary technical and organisational measure that should be implemented to ensure a level of security appropriate to the risk posed by processing personal data.”

Importance of Regular Vulnerability Scanning and Patch Management

Regular vulnerability scanning is essential to maintain the security of systems. Companies should perform vulnerability scans once a month, as recommended by the UK National Cyber Security Centre.

Definition

Regular vulnerability scanning involves scanning systems for potential vulnerabilities and weaknesses.

1. Companies should also ensure that their patching records are accurate.

The ICO’s penalty notice emphasizes the importance of implementing robust security measures to protect sensitive personal data. Companies operating in high-risk sectors must take particular care to ensure a level of security appropriate to the risk posed by processing personal data.