The ICO has fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk.
The breach dates back to 2022 where hackers accessed personal data via a customer account that did not have multifactor authentication (MFA) enabled.
As a result, NHS111 was disrupted and details of 79,000 people were taken, including how to gain access to a number of those receiving care at home.
You can read the full ICO ruling at https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/software-provider-fined-3m-following-2022-ransomware-attack/ but what can we learn from this?
Part of the Information Commissioners’s response include the comment that ‘organisations must be taking proactive steps to assess and mitigate risks, such as implementing comprehensive MFA (or an equivalent measure), regularly scanning for vulnerabilities and keeping systems up to date with the latest security patches. ’
- Have you implemented MFA wherever you can?
- Do you regularly check for vulnerabilities?
- Are your systems kept up to date with the latest patches?