The UK Data Commissioner’s Workplace (ICO) has issued a £3.07 million fantastic on Superior Pc Software program Group Ltd for a 2022 ransomware assault that uncovered the delicate private knowledge of 79,404 individuals, together with Nationwide Well being Service (NHS) sufferers.
The cyberattack was introduced in early August 2022 when numerous NHS companies, together with 111 emergency companies, suffered important outages, pointing to a breach at British managed service supplier (MSP) Superior.
Superior supplied NHS with numerous affected person administration and health-related merchandise akin to Adastra, Caresys, Carenotes, Odyssey, Crosscare, Staffplan, and eFinancials.
The corporate did not share many particulars about which ransomware group had compromised them, however within the days that adopted, it turned clear that restoration would take lengthy, even with the assistance from consultants at Mandiant and Microsoft.
It was later revealed that the LockBit ransomware group was liable for the assault, leveraging compromised credentials to arrange a distant desktop protocol (RDP) session on a Staffplan Citrix server earlier than they moved laterally into the group’s surroundings.
As we speak, the ICO has introduced a hefty £3.07 million ($3.95 million) fantastic on Superior as a penalty for failing to safeguard delicate knowledge and programs in opposition to hackers.
ICO highlights in its announcement the software program vendor’s failure to implement ample safety measures that may stop the breach that induced knowledge publicity and life-risking well being service outages.
These omissions primarily concern poor vulnerability scanning, insufficient patch administration, and lack of common multi-factor authentication (MFA) protection.
“The safety measures of Superior’s subsidiary fell significantly wanting what we might anticipate from a company processing such a big quantity of delicate data,” acknowledged Data Commissioner John Edwards.
“Whereas Superior had put in multi-factor authentication throughout a lot of its programs, the shortage of full protection meant hackers may acquire entry, placing hundreds of individuals’s delicate private data in danger.”
It is price noting that the fantastic imposed on Superior for the 2022 ransomware incident is considerably decreased in comparison with the £6.09M ($7.74 million) determine that ICO thought of beforehand and introduced in August 2024.
Nonetheless, that is important as a result of it’s the first fantastic within the UK imposed on a knowledge processor relatively than a knowledge controller.
Notable instances of previous ICO fines on knowledge controllers embody the report £20 million fantastic on British Airways for a 2018 knowledge breach and a £18.4 million fantastic on Marriott for a 2014 safety incident.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and defend in opposition to them.
