On 27 March 2025, the ICO fined Advanced Computer Software Group Ltd, its subsidiary Advanced Health and Care Limited, and its parent company (together Advance) £3.07m for security failings which were exposed during a 2022 ransomware attack. The decision is notable because it is the first fine handed down to a processor rather than a controller in the UK.
The incident
Advanced is a SaaS provider including to the healthcare, legal and education sectors. It provides services to data controller customers in the UK, including the NHS, acting as a data processor for its customers.
In August 2022, Advanced suffered a ransomware attack, during which threat actors accessed Advanced Health and Care Limited (AHC) systems. The attackers used valid credentials to gain access to a customer account that was not protected by multi-factor authentication (MFA) and then exploited a known vulnerability, ZeroLogon CVE-2020-1472 (the ZeroLogon vulnerability) to escalate privileges to a domain administrator account.
The attack led to exfiltration of approximately 19GB of data from 16 data controller customers, but impacting 658 customers due to product unavailability during remediation. This included entities offering healthcare services which form part of the UK's Critical National Infrastructure, such as NHS 111.
Personal data of 79,404 people was taken. Over half of those data subjects had special category data like medical and health-related records exfiltrated, and 890 had home access information taken. In addition, critical services (such as NHS 111) and other healthcare services were impacted.
ICO's findings
The ICO concluded that Advanced had failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk posed by the processing it was carrying out, in particular with respect to vulnerability scanning, patch management and MFA. As such, it infringed Article 32(1) UK GDPR (particularly subsection (b) in respect of patch management and (d) in respect of vulnerability scanning).
Vulnerability scanning
The ICO found that although Advanced had taken steps to carry out vulnerability scanning, an appropriate level was not carried out across its entire IT infrastructure, and particularly, on the environment that was used by the attackers to gain access.
Advanced had also failed to carry out vulnerability scanning with sufficient regularity. This was assessed by reference to the National Cyber Security Centre (NCSC) guidance which recommends that organisations perform vulnerability scans on a regular basis and at least monthly, or immediately after applying changes to remediate a critical issue. The ICO also noted that conducting scans as part of penetration testing does not exclude the requirement for ongoing, regular scanning mechanisms.
Based on its investigation, the ICO concluded that Advanced was aware of the need to undertake vulnerability scanning and it would have had "ample opportunity to identify and remediate the high risk ZeroLogon vulnerability had it implemented such scanning in the [relevant] environment" (para 65).
Patch management
The ICO noted that the ZeroLogon vulnerability, which can allow a cyber threat actor to bypass authentication and gain administrator-level privileges on the domain had been widely publicised since 2020. A patch update (and detailed guidance on how to address the vulnerability) was made available by Microsoft in August 2020 with a further security update made available in February 2021.
The ICO concluded that although Advanced undertook some patching activities in response to the ZeroLogon vulnerability, its approach to patching in the impacted environment was ad hoc and without a mature patch validation process in place. Advanced did not implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk presented by the processing.
Industry standards regarding vulnerability management
The ICO also found that Advanced's approach to vulnerability management within the AHC environment did not meet industry-wide standards. In assessing this, the ICO made references to ISO27002:2017 and NCSC's Cyber Essentials v3.0.
Cost of implementation
The ICO noted that cost of implementation of appropriate technical and organisational measures should not have been a prohibitive factor for Advanced given that it is a large organisation with significant turnover.
Severity of risk
Advanced should have been aware that "Health" is listed by the Cabinet Office as one of the 13 Critical National Infrastructure sectors, understood that it was carrying out high-risk processing of significant volumes of personal data, and acted accordingly.
Failure to fully implement MFA
Advanced did not implement MFA fully across the impacted environment at the time of the incident although MFA was in place in respect of certain applications within the impacted environment and Advanced had also developed an MFA solution. Advanced argued this was partly because customers were unwilling to implement MFA, however, the ICO rejected this argument as a relevant factor, particularly given the sensitive nature of the data Advanced was processing.
Remediation measures
The ICO accepted that Advanced took considerable remediation steps including but not limited to immediate incident response by isolating the impacted environment to limit the scope of potential damage, notifying all customers of the incident within 24 hours of discovery irrespective of whether or not they were affected, and working with the NCSC and NHS Digital as part of its remediation and recovery plan, incurring remediation costs of over £21 million. Advanced also proactively reported the cyber security breach to other appropriate bodies (such as the NCSC).
These measures were taken into account when assessing the amount of the fine which ultimately included a 20% reduction following voluntary settlement by Advance and also reflected a reduction following representations made in response to the notice of intent issued by the ICO in August 2024, which initially proposed a fine of £6.09m.
What does this mean for processors?
There are lessons to be learned here for processors (and controllers) in relation to risk mitigation and appropriate technical and organisational measures relating to security. Patch management, vulnerability scanning, using MFA and having appropriate processes in place - these are not necessarily news - although the decision is a reminder of the consequences of getting it wrong. Advanced was not unaware of its security obligations, however, it had failed to assess risk properly and therefore also to address it appropriately. The ICO took the opportunity to call on organisations to do more to combat the growing cyber threat with specific references to detailed guidance on protecting systems from ransomware attacks and shared lessons learnt from common security mistakes.
It's certainly worth noting that Advanced was able to reduce the original proposed fine significantly through mitigation measures, making representations to the ICO after the initial notices, and by agreeing to settle rather than appeal. Despite this, the size and experience of Advanced and the volume and sensitivity of the data being processed were factors in determining the amount of the fine.
The main impact of this decision is, however, that it marks the first time the ICO has fined a processor. The ICO had previously focused on controllers when taking enforcement action, but this decision underlines the fact that many of the obligations placed on controllers also apply directly to processors, including the requirement to take appropriate technical and organisational measures to ensure security of personal data, and that the ICO will be scrutinising processor compliance, just as it does with controllers.
The ICO looked at the relationship and allocation of responsibility between Advanced and its controllers. Advanced accepted that AHC (as a processor) was responsible for the security of impacted systems and that decision making relating to the affected IT infrastructure rested with AHC. The ICO acknowledged that Advanced's master services agreement with its controller customers stated that the customers were also responsible for taking appropriate security measures to protect their personal data, but concluded this could not reduce Advanced's own responsibilities under Article 32 UK GDPR.
Processors should take from this decision the fact that they cannot hide behind their controllers. As with controllers, failure to comply with their GDPR obligations lays them open to financial penalties, reputational damage and, potentially, financial claims from their controllers and from the data subjects whose personal data they process.
