Risk Evolves Logo Need help now?

ICO Issues £3M Fine for Software Firm’s Ransomware Attack

The Information Commissioner’s Office (ICO) has fined a software firm £3.07 million for security failings that led to a ransomware attack, putting the personal information of 79,404 people at risk. This ICO ransomware security fine highlights the growing importance of robust cybersecurity measures.

The ransomware incident in August 2022 saw reports of disruption to critical services, such as NHS 111 and other healthcare staff being unable to access patient records.

Advanced Computer Software Group Ltd (Advanced) provides IT and software services to organisations, including healthcare providers and processes personal information on behalf of these organisations. Hackers accessed certain systems of the firm’s health and care subsidiary via a customer account that did not have multi-factor authentication (MFA).

Today’s decision is a stark reminder that organisations risk becoming the next target without robust security measures in place.”

– John Edwards, Information Commissioner

John Edwards, the Information Commissioner, said: “With cyber incidents increasing across all sectors, my decision today is a stark reminder that organisations risk becoming the next target without robust security measures in place. I urge all organisations to ensure that every external connection is secured with MFA today to protect the public and their personal information – there is no excuse for leaving any part of your system vulnerable.”

The Commissioner also revealed the ICO and Advanced have agreed a voluntary settlement: “Advanced has acknowledged our decision to impose a reduced fine and agreed to pay a final penalty of £3,076,320 without appealing.”

The announcement delivers a clear message to software developers and organisations across the UK and EU that proactive steps must be taken to assess and mitigate risks, such as implementing ‘comprehensive’ MFA, regularly checking for vulnerabilities and ensuring systems have the latest security updates, especially in light of this significant ICO ransomware security fine.

This fine is an important message for software developers and providers to ensure they can demonstrate both security and privacy by design and default – it cannot be an after thought and it’s not all down to the client.”

Helen Barge, Risk Evolves

Data has value to the criminal

Risk and cyber security specialist Helen Barge, Managing Director of Risk Evolves, highlighted the ever-changing threats organisations face and why implementing effective safeguarding measures is no longer optional, but essential.

Helen said: “This fine is an important message for software developers and providers to ensure they can demonstrate both security and privacy by design and default – it cannot be an after thought and it’s not all down to the client. Equally, if the developer identifies a weakness with how the client has implemented security – for example switching MFA off or excluding certain user groups – this decision from the ICO sends makes it very clear that the software provider is expected to take action.”

“This also reiterates the importance of due diligence when choosing purchasing software. What credentials does the supplier hold, how can they help you to be secure, how do they maintain this security and what will they do if it all goes wrong?

The full ICO report, released on 27 March 2025, is available to read.

Due diligence

Finding the right fit when choosing a managed service provider (MSP) can be a daunting task, especially in the ever-evolving landscape of technology. From artificial intelligence (AI), augmented reality (AR) and autonomous vehicles, technology is evolving at an unprecedented rate, offering organisations greater possibilities. But with those possibilities comes an ever-growing set of risks.

Risk Evolves encourages all organisations to engage in due diligence before engaging with an MSP or software provider. The recent ICO ransomware security fine serves as a reminder that organisations must prioritise cybersecurity and implement proper safeguards to protect sensitive data.

Looking for more?

We have a great library of articles and blogs as well as pre-recorded and upcoming webinar sessions to support businesses across all sectors, including the critical link between GDPR compliance and robust cyber security measures, FAQs on Cyber Essentials, demystifying ISO Standards with Risk Evolves’ guide for UK businesses, and embracing risk to evolve.

You can read more about this in our article Managed Service Providers ‘choose wisely’, as we share insights into some of the most important qualities of a reliable MSP.

The ever-evolving technology landscape can appear daunting.

Take the first step forward

Risk Evolves can help.

We can help you prepare to meet the challenges and risks inherent in today's business. Get in touch with Risk Evolves for a free no-obligation chat.

Contact Us01926 800710
  • Cyber Security
  • Cybersecurity, data protection, GDPR compliance, ICO fine, multi-factor authentication, NHS data breach, Ransomware attack, Software security

More news

Risk Management

Beyond Compliance: Effective Risk Management Lessons from the Past

Effective risk management compliance means going beyond mere compliance. That's one of the lessons from the Grenfell Tower tragedy. The development of risk management has always been influenced by significant failures and successes, and Grenfell is the latest in a series of high-profile events that
Read more »
Cyber Security

Managing UK Supply Chain Cyber Risks

Just as children were once taught to be vigilant about unknown people, today's businesses must apply similar caution to their digital supply chains. With cyber threats evolving rapidly, understanding and managing UK supply chain cyber risks has become essential for business survival. This article explores
Read more »
Risk Evolves Celebrating 10yrs of Risk Management
Risk Evolves

A Decade of Excellence in Business Risk Management

Risk Evolves celebrates a decade of excellence in providing innovative business risk management solutions. As they mark their 10th anniversary, the team looks back on their journey with pride and forward to future challenges with enthusiasm, always staying true to their mission of proactive, accessible
Read more »
Business person staring in to horizon | horizon scanning 2025
Risk Management

Horizon Scanning 2025: What’s the Plan?

Recognising early warning signs requires constant monitoring and being able to understand what it means. Risk specialist Helen Barge shares the top five external risk factors, and potential opportunities, that organisations should have on their radar.
Read more »

Upcoming events

Cyber Safe – But can I be sure?

  • 2 April, 2025
  • 11:15
  • -   12:00
  • Virtual
Join us for "Cyber Safe: Essential InfoSec Practices for Everyone" and transform from a worried worker into a confident cyber defender. Our expert Muneebah Kara will guide you through practical steps to protect your personal and business data. Book your spot now and take control of your digital security!
View Event
Book now

Privacy and Marketing — Is your marketing strategy compliant?

  • 10 April, 2025
  • 11:15
  • -   12:00
  • Virtual
Join us for our session on "Privacy and Marketing" and transform from a worried marketer into a confident compliance champion. Our expert, Anna Walters, will guide you through the essentials of aligning your marketing efforts with data protection laws. Book your place now and take the first step towards worry-free, compliant marketing!
View Event
Book now

Resilience Ready – Building a Business Continuity Plan That Works

  • 17 April, 2025
  • 11:15
  • -   12:00
  • Virtual
Join us for "Resilience Ready: Building a Business Continuity Plan That Works" and transform from a frazzled manager into a prepared leader. Our business continuity expert, Muneebah Kara, will guide you through creating a robust plan to keep your business running smoothly, no matter what challenges arise.
View Event
Book now

Managing Risks – The Essentials

  • 20 May, 2025
  • 09:00
  • -   15:00
  • £225 + VAT
  • ( £175 + VAT Members )
  • Virtual
This IIRSM virtual course is designed to deliver a practical and engaging experience, using real-world case studies, short bursts of content delivery, video, interactive polls, and group discussions in break-out rooms.

Risk Evolves clients can benefit from member rates on IIRSM sessions. To find out how, contact us.
View Event
Book now

Managing Health & Safety Risks – The Essentials

  • 1 September, 2025
  • - 1 October, 2025
  • 09:00
  • -   16:00
  • £400 + VAT
  • ( £325 + VAT Members )
  • Virtual
This IIRSM virtual course provides non-health and safety professionals with an essential understanding of why they should and how they can proactively play their role in managing health and safety within their area of work.

Risk Evolves clients can benefit from member rates on IIRSM sessions. To find out how, contact us.
View Event
Book now