The UK Data Commissioner’s Workplace (ICO) has issued a £3.07 million nice on Superior Pc Software program Group Ltd for a 2022 ransomware assault that uncovered the delicate private knowledge of 79,404 individuals, together with Nationwide Well being Service (NHS) sufferers.
The cyberattack was introduced in early August 2022 when varied NHS providers, together with 111 emergency providers, suffered vital outages, pointing to a breach at British managed service supplier (MSP) Superior.
Superior supplied NHS with varied affected person administration and health-related merchandise similar to Adastra, Caresys, Carenotes, Odyssey, Crosscare, Staffplan, and eFinancials.
The corporate did not share many particulars about which ransomware group had compromised them, however within the days that adopted, it turned clear that restoration would take lengthy, even with the assistance from specialists at Mandiant and Microsoft.
It was later revealed that the LockBit ransomware group was answerable for the assault, leveraging compromised credentials to arrange a distant desktop protocol (RDP) session on a Staffplan Citrix server earlier than they moved laterally into the group’s surroundings.
Immediately, the ICO has introduced a hefty £3.07 million ($3.95 million) nice on Superior as a penalty for failing to safeguard delicate knowledge and techniques towards hackers.
ICO highlights in its announcement the software program vendor’s failure to implement satisfactory safety measures that may forestall the breach that triggered knowledge publicity and life-risking well being service outages.
These omissions primarily concern poor vulnerability scanning, insufficient patch administration, and lack of common multi-factor authentication (MFA) protection.
“The safety measures of Superior’s subsidiary fell critically in need of what we’d count on from a company processing such a big quantity of delicate info,” said Data Commissioner John Edwards.
“Whereas Superior had put in multi-factor authentication throughout lots of its techniques, the dearth of full protection meant hackers might achieve entry, placing hundreds of individuals’s delicate private info in danger.”
It is price noting that the nice imposed on Superior for the 2022 ransomware incident is considerably diminished in comparison with the £6.09M ($7.74 million) determine that ICO thought of beforehand and introduced in August 2024.
Nonetheless, that is vital as a result of it’s the first nice within the UK imposed on a knowledge processor fairly than a knowledge controller.
Notable instances of previous ICO fines on knowledge controllers embrace the report £20 million nice on British Airways for a 2018 knowledge breach and a £18.4 million nice on Marriott for a 2014 safety incident.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and tips on how to defend towards them.
