NHS LockBit ransomware attack yields £3.07 million penalty on tech provider

In 2022, the notorious LockBit ransomware group targeted the servers of the UK’s National Health Service (NHS), a breach that affected around 79,000 individuals, including both patients and staff. Upon investigation, it was revealed that the malware had infiltrated the NHS systems through a third-party technology provider, Advanced Computer Software Group LTD.

As a result of this data breach, the UK’s Information Commissioner’s Office (ICO) has imposed a hefty fine of £3.07 million on the managed service provider, commonly referred to as ‘Advanced.’ The penalty was issued for the company’s failure to adequately protect patient and staff data from cybercriminals. This breach potentially exposed sensitive personal information to malicious third parties, who could exploit this data to cause harm to customers and employees in the future.

The ICO’s investigation found that Advanced had neglected to implement essential security measures, such as Multi-Factor Authentication (MFA) on the Staffplan Citrix Server. This oversight was a significant factor in the breach, which ultimately compromised sensitive data.

It’s worth noting that in a separate incident, the ICO also fined Advanced £6.49 million in August 2024 for failing to prevent another ransomware attack. However, after legal negotiations, the penalty was reduced by 50%. This reduction came after the ICO acknowledged that Advanced was a data processor rather than a data controller, meaning its responsibilities in the incident were somewhat less direct, leading to the fine being halved without further appeals.

The ICO has established a firm track record of holding businesses accountable for failing to safeguard customer data. For instance, in 2018, the agency slapped British Airways with a £20.09 million fine for a data breach that impacted its customers, and Marriott was penalized £18.06 million for a similar incident dating back to 2014.

The ICO’s actions underscore the increasing seriousness with which it is approaching data security, especially after the introduction of the General Data Protection Regulation (GDPR) in 2018. The penalties levied against companies like Advanced serve as a stark reminder that any organization failing to adequately protect customer information will face significant financial and reputational consequences. This trend highlights the importance of proactive cybersecurity measures to prevent such breaches and avoid the heavy penalties that can result from neglecting data protection responsibilities.