Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
The lack of proper protection was much more expensive than installing it.
British regulators have imposed a preliminary fine of more than £6 million on Advanced, a provider of services to the National Health Service (NHS). The company did not properly protect the information of thousands of people, which led to a data leak as a result of a ransomware attack.
During the attack, the attackers gained access to a number of Advanced systems through a client account that did not have multi-factor authentication. The cyberattack, which occurred in August 2022, caused significant disruption to the NHS across the UK. Services were cut off, including the NHS 111 emergency line, and many hospitals and health facilities were forced to switch to using "pen and paper". Doctors in affected NHS departments reported that they could not access patients ' medical records.
An investigation by Mandiant revealed that the attack used LockBit malware. However, the LockBit group itself has not publicly claimed responsibility for the cyberattack. This may indicate that Advanced paid a ransom to ransomware. Earlier, the company declined to say whether the buyout was paid.
In October 2022, Advanced said that cybercriminals had infiltrated its network using legitimate third-party credentials, which also indicated a lack of multi-factor authentication. Now the ICO confirms this fact.
The ICO said it was pre-imposing a fine of £6.09 million (about $7.75 million) for violating the Data Protection Act by failing to implement adequate security measures to protect the personal information being processed prior to the attack.
The watchdog also confirmed that the cyberattack resulted in the theft of data from nearly 83,000 people in the UK, including phone numbers and medical records, as well as details on how to access the homes of 890 people receiving home care. Those affected were notified, and Advanced found no evidence that the data was published on the darknet.
The fine is preliminary in nature, which means that the amount of the fine may change. The ICO said the decision to make the case public was made in part to prevent similar incidents in the future. The Agency called on all organizations, especially those that process sensitive health data, to urgently implement multi-factor authentication.
Representatives of Advanced did not provide comments.
Source
British regulators have imposed a preliminary fine of more than £6 million on Advanced, a provider of services to the National Health Service (NHS). The company did not properly protect the information of thousands of people, which led to a data leak as a result of a ransomware attack.
During the attack, the attackers gained access to a number of Advanced systems through a client account that did not have multi-factor authentication. The cyberattack, which occurred in August 2022, caused significant disruption to the NHS across the UK. Services were cut off, including the NHS 111 emergency line, and many hospitals and health facilities were forced to switch to using "pen and paper". Doctors in affected NHS departments reported that they could not access patients ' medical records.
An investigation by Mandiant revealed that the attack used LockBit malware. However, the LockBit group itself has not publicly claimed responsibility for the cyberattack. This may indicate that Advanced paid a ransom to ransomware. Earlier, the company declined to say whether the buyout was paid.
In October 2022, Advanced said that cybercriminals had infiltrated its network using legitimate third-party credentials, which also indicated a lack of multi-factor authentication. Now the ICO confirms this fact.
The ICO said it was pre-imposing a fine of £6.09 million (about $7.75 million) for violating the Data Protection Act by failing to implement adequate security measures to protect the personal information being processed prior to the attack.
The watchdog also confirmed that the cyberattack resulted in the theft of data from nearly 83,000 people in the UK, including phone numbers and medical records, as well as details on how to access the homes of 890 people receiving home care. Those affected were notified, and Advanced found no evidence that the data was published on the darknet.
The fine is preliminary in nature, which means that the amount of the fine may change. The ICO said the decision to make the case public was made in part to prevent similar incidents in the future. The Agency called on all organizations, especially those that process sensitive health data, to urgently implement multi-factor authentication.
Representatives of Advanced did not provide comments.
Source
