Software Company Fined Over £3 Million After Cyber Attack

A software company that provides data processing services to organisations, including the NHS and other healthcare providers, has been fined more than £3 million by the Information Commissioner's Office (ICO) following a ransomware attack.

The attack occurred in August 2022. Hackers gained access to the company's systems via a customer account that did not have multi-factor authentication. Critical services such as NHS 111 were disrupted, and healthcare staff were unable to access patient records. Personal information relating to 79,404 people was taken, including names and dates of birth, contact details, employment information and health-related information. The data also included details of how to gain entry to the homes of 890 people who were receiving care at home.

The ICO found that, between 2018 and 2022, the company had failed to implement appropriate technical and organisational measures in processing personal data on behalf of customers which were data controllers, leaving the security of the data at risk. Its measures fell short of fundamental cyber security principles, with deficiencies in respect of vulnerability scanning, patch management and multi-factor authentication. The failures amounted to a breach of Article 32(1) of the UK General Data Protection Regulation.

The ICO took into account the seriousness of the infringement and the company's degree of responsibility. It also noted that the company had taken steps to mitigate the damage suffered by the data subjects and to proactively notify and work with the National Cyber Security Centre and the National Crime Agency.

Taking all the relevant factors into account, the ICO considered a penalty of £3,845,400 to be appropriate. The penalty was reduced by 20 per cent, to £3,076,320, in view of the company's acknowledgement of the ICO's decision and its agreement not to appeal against the penalty notice.