IT Services Provider in UK Fined Over NHS Ransomware Attack

The Information Commissioner’s Office (ICO) has announced a potential fine of over £6 million against Advanced Computer Software Group, a software provider, following a 2022 ransomware attack that severely disrupted NHS and social care services in England.  

‍

The ICO provisionally found that the company had failed to protect the personal information of nearly 83,000 individuals, including sensitive data. The attack occurred in August 2022 when hackers accessed the firm’s healthcare systems via a customer account lacking multifactor authentication.  

‍

This breach led to significant disruption, including the temporary offline status of critical NHS services like NHS 111, and exposed personal data such as phone numbers, medical records, and home entry details for around 900 care recipients.

‍

John Edwards, the Information Commissioner, emphasized the severity of the incident, stating, “Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organizations,” the Guardian reports.

‍

Edwards highlighted the need for stringent security measures, urging organizations to implement basic protections such as multifactor authentication and regular system updates. He noted that the attack added strain to an already pressured sector, disrupting essential services.

‍

He remarked, “for an organization trusted to handle a significant volume of sensitive and special category data, we have provisionally found serious failings in its approach to information security prior to this incident.”

‍

The ICO’s findings are provisional, and the final decision will be made after considering any representations from Advanced.

‍

Takeaway: The rise in lawsuits against organizations hit by ransomware attacks involving data exfiltration has surged dramatically over the past two years.  

‍

This surge in legal actions is exerting significant pressure on C-suite executives and Boards of Directors, and we are now witnessing third-party service providers being increasingly named in these lawsuits.

‍

For instance, a recent lawsuit filed by the law firm Mastagni Holstedt against managed service provider (MSP) LanTech LLC and data backup provider Acronis is seeking over $1 million in damages. The lawsuit alleges that these companies failed to protect the firm from a highly disruptive ransomware attack.

‍

Organizations must be keenly aware of the multifaceted risks posed by ransomware attacks. These risks extend far beyond immediate financial and operational disruptions, encompassing serious threats to sensitive data and intellectual property.  

‍

The growing trend among ransomware operators to leverage the publication or sale of stolen data as a threat if ransoms are not paid introduces additional layers of risk, including regulatory fines, lawsuits, and enduring damage to a company's reputation and customer trust.

‍

Ransomware attacks today are not just about delivering malicious code. Data exfiltration has become a core component, with some groups even forgoing the encryption of data to focus solely on stealing information and extorting their victims.  

‍

This evolution has escalated ransomware to a significant legal and regulatory concern. Depending on the industry and location, data protection laws may require the swift reporting of breaches, with severe penalties for non-compliance.

‍

While current regulations aim to safeguard sensitive personal information, they often fall short in shielding organizations from the relentless onslaught of ransomware attacks. In some cases, these regulations can exacerbate the situation for victimized organizations.

‍

The growing legal and regulatory scrutiny is increasingly reaching company executives and Boards of Directors, signaling a shift towards accountability at the highest levels.  

‍

The aftermath of severe security incidents no longer ends when the immediate threat is mitigated; it now includes the potential for class action lawsuits, regulatory actions, criminal prosecutions, and even jail time for leadership, particularly when sensitive or regulated data is compromised.

‍

Noteworthy cases, such as the legal actions against the former Chief Information Security Officer (CISO) of Uber and the recent regulatory actions involving SolarWinds and their CISO, highlight the rising liability for those responsible for security decisions.  

‍

This trend emphasizes the stark reality that while the government provides guidelines and frameworks to prevent ransomware attacks, its regulatory response post-attack often places additional burdens on the already-victimized organizations.

‍

Cybersecurity experts recognize that a determined attacker with sufficient time and resources can eventually breach any target. This understanding implies that organizations handling sensitive data are likely to face regulatory and potentially criminal jeopardy when they are attacked.

‍

The convergence of these factors means that organizations, already grappling with the challenges of defending against ransomware and data extortion, now face the added threat of being further victimized by an increasingly stringent legal and regulatory landscape.  

‍

This complex scenario demands a balanced approach, where organizations must not only strengthen their cybersecurity defenses but also adeptly navigate the challenging regulatory environment to mitigate the risk of further harm.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.