On March 27, 2025, the UK Information Commissioner’s Office (“ICO”) announced that it had issued a fine against Advanced Computer Software Group (“Advanced”) for £3.07 million (approx. $4 million) for non-compliance with security rules identified through an investigation following a ransomware attack which occurred in 2022.
The ICO’s investigation found that personal data belonging to 79,404 people was compromised, including details of how to gain entry into the homes of 890 people who were receiving care at home. According to the ICO, hackers accessed certain systems of a group subsidiary via a customer account that did not have multi-factor authentication. The ICO also noted that it was widely reported that the security incident let to the disruption of critical services. The ICO concluded that the group subsidiary had not implemented adequate technical and organization measures to keep its systems secure.
Initially, the ICO intended to issue a higher fine against Advanced. However, it took into consideration Advanced’s proactive engagement with the UK National Cyber Security Centre, the UK National Crime Agency and the UK National Health Service in the wake of the attack, along with other steps taken to mitigate the risk to those impacted. The final fine represents a voluntary settlement agreed between the ICO and Advanced.