Complete the form below to ask us a question or make an enquiry. We’ll get back to you via phone or email as soon as possible.

Insights

Ransomware Attack Threatens Software Supplier with £6 Million Fine: ICO Urges Immediate Multi-Factor Authentication

Posted on 13th August 2024 in Data Protection

Posted by

Jessica Whittick

Solicitor
Ransomware Attack Threatens Software Supplier with £6 Million Fine: ICO Urges Immediate Multi-Factor Authentication

The ICO has provisionally decided to issue a fine to Advanced, an IT software company providing services to the NHS, after it experienced a ransomware hack in August 2022.

Cyber threats are increasing and AI is expected to heighten the global ransomware according to GCHQ. Government statistics from 2024 show that half of businesses (50%) and a third of charities (32%) report having experienced some form of cyber security breach or attack in the last 12 months. This is much higher for:

  • Medium businesses – 70%
  • Large businesses – 74%
  • High-income charities with £500,000 or more in annual income – 66%.

In this insight, we discuss what we know so far about the breach, refer to the regulatory framework and explain how Tozers can assist your business with GDPR.

What do we know so far?

The ICO has provisionally found that hackers initially accessed a number of Advanced’s health and care systems via a customer account that did not have multi-factor authentication. They provisionally report that personal data belonging to 82,946 people was exfiltrated during the attack, including phone numbers, medical records, as well as details of how to gain entry to the homes of 890 people who were receiving care at home.

Why does a business get punished if its systems get attacked?

Data processors have a duty to ensure that personal data “is processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing… using appropriate technical or organisational measures” (Article 5(1)(f) UK GDPR). This is known as the “security principle”. A data subject has a right to privacy and if they decide to share their data with your business, the onus is on you to keep it safe.

Protecting personal data involves careful consideration of risk analysis, organisational policies and physical and technical measures. Software, a form of technical measure, is just one ingredient in the mix.

When do we consider what measures to incorporate?

The “data protection by design” principle in Article 25 UK GDPR requires you to put in place appropriate technical and organisational measures to safeguard processing. You have to do this during the design phase of any processing operation and during the processing itself.

Does that mean we need to deploy the most expensive software to protect personal data?

No. You can consider the state of the art and costs of implementation when deciding what measures to take but the ICO says they must be appropriate to both your business’ circumstances and the risk your processing poses. This means there is no one-size-fits-all solution.

Having said that, multi-factor authentication is a straightforward method to secure data and deploying it does not involve paying for the most expensive software.

What is the ICO’s message to UK businesses?

John Edwards, UK Information Commissioner said:

“Despite already installing measures on its corporate systems, our provisional finding is that Advanced failed to keep its healthcare systems secure. We expect all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication and keeping systems up to date with the latest security patches.

I am choosing to publicise this provisional decision today as it is my duty to ensure other organisations have information that can help them to secure their systems and avoid similar incidents in the future. I urge all organisations, especially those handling sensitive health data, to urgently secure external connections with multi-factor authentication.”

What powers does the ICO have?

The ICO is the UK’s largest independent body set up to uphold information rights. It has various enforcement powers, for example:

1.    Issuing notices that require you to provide certain information.

2.    Issuing enforcement notices that require you to take, or refrain from taking particular steps or actions.

3.    Issuing monetary penalties if you contravene network and information systems up to a maximum of £17 million.

Can you challenge a monetary penalty by the ICO?

Yes. Advanced have received a penalty notice and the Commissioner has not made a final decision.

If the ICO intends to issue a monetary penalty it will send a notice of intent which you can challenge by sending written representations within a strict timeframe. Time is of the essence when you receive a notice of intent so it is crucial that you seek legal advice without delay.

In 2023 we acted on behalf of a client who was issued with a notice of intent for over £180,000 as a result of a data breach. We sent written representations which were successful, resulting in the investigation being dropped and the fine waived in its entirety.

How can Tozers help my business?

Everyone responsible for using personal data (which includes storing it) has to follow strict rules and lawyers play a crucial role in navigating the complex legal landscape surrounding personal data.

Tozers’ expert Data Protection Team can help you comply with the regulatory framework by:

  • Providing advice and guidance.
  • Discuss data protection impact assessments and technical and organisational measures to mitigate or manage the risks you identify with new systems.
  • Drafting bespoke data protection policies.
  • Providing training to staff.
  • If the worst happens, provide written representations to the ICO to dispute any penalty notice.

If you require advice, speak to one of our legal experts today in a no-obligation phone call. 

Contact our legal experts

Company & Industry

Related Insights

Insights

Police Force Issued with a £750,000 Penalty Notice by the ICO for an Unprecedented and Industrial Scale Data Breach

Posted on 09th October 2024 in Dispute Resolution, Data Protection

In a recent case involving the Information Commissioner’s Office (ICO) and the Chief Constable of Northern Ireland, the ICO issued a penalty notice due to non-compliance with UK GDPR obligations. The incident stemmed from a data breach that occurred during a Freedom of Information Act (FOIA) response. While FOIA requests are typically limited to public authorities, the lessons from this case are relevant to all businesses handling personal data. Read our latest insight for a breakdown of the key points.

Posted by

Jessica Whittick

Solicitor
Insights

Debunking Data Protection Part 2: Can I Use a Template Privacy Notice?

Posted on 05th September 2024 in Data Protection

In this new series of insights, we debunk common data protection misconceptions and explain how Tozers can help your business comply with the regulatory framework.

Posted by

Jessica Whittick

Solicitor