UK ICO – provisional decision to impose GBP 6mn fine on "Advanced LTD."
- Author: Wolfgang von Sandersleben, DP-Dock GmbH
- Last updated: August 2024
- Category: Enforcement
The Advanced Computer Software Group Ltd has failed to implement measures to protect personal data of almost 83’000 individuals, which also included sensitive data. It is assumed that this was possible through a hacker attack in August 2022, where through a customer account, which was not secured with appropriate safety standards, personal information of other customers was exfiltrated while healthcare staff was unable to access patient records.
The concerned data included medical records, phone numbers and details on instructions to enter private homes of patients who receive care. People who were impacted had been notified and Advanced took measures to deal with the issue. The whole case is still under investigation. While a data leakage has been confirmed, if Advanced will be held liable for the data breaches is still subject to be decided.
Nonetheless, decided the ICO to impose a provisional fine of GBP 6mn on Advance before a final decision will be publicized.
The case displays the importance of implementing appropriate safety standards, especially regarding technical and organizational measures. Here, risk assessments can aim to analyze possible scenarios upfront and contribute to a thorough risk mitigation with proper response mechanisms to limit vulnerability towards cyber-attacks. Especially in cases that concern processing and storing of sensitive data, data controllers need to proceed with great caution.
Therefore, we recommend regular checks for vulnerabilities and the implementation of multi-factor authentication.
For more info please click here.