On 27 March 2025, the Information Commissioner’s Office (“ICO”) fined Advanced Computer Software Group Ltd and two of its group entities (“Advanced”) £3.07m for failing to fully implement appropriate security measures to adequately protect personal information.
Advanced provides IT and software services to various organisations, including the NHS. In this context it acts as a Processor under the UK General Data Protection Regulation (“UK GDPR”).
In 2022, Advanced experienced a ransomware attack, where hackers accessed its systems via a customer account which did not have multi-factor authentication (“MFA”). This led to personal information (including sensitive health and medical information) belonging to 79,404 people, being exfiltrated. Advanced’s customers, including NHS 111, suffered disruption and delays in accessing information.
Under Article 32 of the UK GDPR, both Controllers and Processors must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In this case, the ICO held that the security measures implemented by Advanced fell seriously short of those required from a Processor.
In particular, Advanced had not:
- Installed MFA across all relevant systems;
- Conducted regular and comprehensive vulnerability scanning. The National Cyber Security Centre recommends that scans be conducted at least once every month;
- Put in place adequate patch management; and
- Implemented vulnerability management controls which met industry standards.
This decision serves as a helpful reminder that:
- Whilst Controllers are responsible for ensuring appropriate security measures are in place and choosing Processors that provide sufficient assurances as to security, Processors are also directly required to comply with the security obligations of Article 32; and
- Although Controllers are required to manage personal data breaches, and report them to the ICO where necessary, Processors can be subject to enforcement action where deficiencies in their security measures have caused or contributed to the breach.
It is also notable that one of the Advanced group entities listed on the penalty notice is a Jersey entity, registered in the Channel Islands, outside of the UK. In this case it appears that this entity was considered, together with two other Advanced entities that were UK registered, to be established in the UK for the purposes of Article 3(1) of the UK GDPR.
If you need legal assistance related to this topic, please reach out to your usual CMS contact or one of the key contacts included below.
Article co-authored by Lisa Franco, Trainee Solicitor at CMS.
