With the UK data protection landscape on the cusp of change with the Data (Use and Access) Act 2025 and the forthcoming Cyber Security and Resilience Bill set to further embed the crucial link between cyber and data protection, the £3.7m fine against Advanced Computer Software Group serves as an important reminder about the need for more integrated cyber and data security efforts. As the UK gathers pace to tighten cyber obligations across the economy, data processors and controllers alike should take concerted efforts to keep their security up to date.
A landmark fine against a data processor
In a first-of-its-kind action under UK GDPR, the Information Commissioner’s Office (ICO) fined the Advanced software company £3.07m following its failure to prevent a 2022 ransomware attack that disrupted critical NHS services. The attack, attributed to the LockBit group, exploited a customer account that lacked multi-factor authentication (MFA) and exposed the personal data of 79,404 individuals, including care access details for 890 vulnerable patients.
The fine was halved from an original £6.09m after a voluntary settlement, with the ICO acknowledging Advanced’s cooperation with the NCSC, NCA, and NHS, and its remedial efforts since the breach.
Why the company was fined
The ICO found that Advanced failed to implement sufficient technical and organisational security measures. Specific deficiencies included:
- Incomplete deployment of multi-factor authentication
- Inadequate vulnerability scanning protocols
- Poor patch management
These gaps allowed threat actors to penetrate systems underpinning the Adastra patient management platform, causing nationwide disruption to services such as NHS 111, ambulance dispatch, and emergency prescription fulfilment.
According to Information Commissioner John Edwards: “The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information.”
The significance of being a data processor
While data controllers have traditionally been the focus of enforcement action, this fine represents a major precedent. As a data processor, Advanced was handling personal data on behalf of NHS and other health sector clients, rather than determining the purposes of that data. Yet under UK GDPR, data processors still have a legal duty to implement appropriate security measures.
While the Data (Use and Access) Act has brought changes to the UK’s data protection landscape, it has not loosened the requirements on all processors and controllers to take concerted and active security measures. Moreover, the forthcoming Cyber Security and Resilience Bill will put additional compliance obligations on companies, particularly those in critical sectors, to heighten security.
Processors cannot rely on their controller clients to absorb legal risk. The ICO’s decision signals increased scrutiny of outsourced technology providers, especially those handling sensitive health or education data, and this is likely to continue.
Why ransomware remains a critical risk
Ransomware continues to dominate cyber threat landscapes. In this case, the LockBit attack not only encrypted systems but exfiltrated sensitive personal information. The lack of MFA and weak patching protocols created a clear path for attackers.
The ICO stressed that every external connection must be protected by MFA. With known vulnerabilities increasingly exploited by ransomware gangs, organisations must adopt proactive and continuous security monitoring and implement resilience strategies to maintain service continuity in the event of compromise.
Processing sensitive data means greater obligations
UK GDPR requires security measures to be proportionate to risk. Processing special category data – such as health records in this case – requires a higher bar of protection. Measures such as encryption, access controls, and regular system testing are not optional when dealing with sensitive datasets.
The ICO also broadened the interpretation of sensitive data beyond special category information, warning that data exposing individuals to potential physical or psychological harm also demands heightened protection.
The Cyber Security and Resilience Bill: What’s next?
The UK’s forthcoming Cyber Security and Resilience Bill is expected to further define baseline cyber requirements for private sector entities. While much of the regulatory focus has historically fallen on critical infrastructure, the new legislation will likely formalise obligations for a broader range of digital service providers.
This includes mandatory cyber risk assessments, vulnerability disclosure mechanisms, and minimum technical standards. For data processors, the bill is set to raise the floor on what qualifies as adequate security.
For compliance officers and IT providers, the message is clear: Security obligations don’t stop at data controllers, and enforcement is accelerating. With cyber incidents rising and regulatory scrutiny intensifying, the time to audit and upgrade your security posture is now.
How good is your staff training on data protection and cyber security? The next generation of Conversational Learning is here.
