Advanced Computer Software Group Limited – €3,599,294 Fine (United Kingdom, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Advanced Computer Software Group Ltd. (data processor) is a software company providing IT and software services to organisations including the NHS in England. In August 2022, the processor suffered a cyber-attack whereby the threat actor obtained access to their internal systems. This was achieved through the provision of a correct username and password through a customer account, allowing the actor to disable the antivirus measures and obtain domain administrator privileges. The threat actor was able to gain access to 19GB of data. This caused widespread disruption to NHS services. The processor had to take multiple systems offline in order to re-build them. In May 2023, the final data controller was reconnected. The personal data of a total of 82,946 individuals was compromised, with some of the data relating to deceased individuals, leaving a total of 79,404 individual’s personal data having been exfiltrated. This number includes the special category data of 41,196 data subjects. The personal data was comprised of demographic and contact information, employment related information, medical and health related information, and other special category information including racial or ethnic origin and religious or philosophical beliefs. Following report of the disruption to NHS services, the ICO (United Kingdom DPA) contacted the processor and launched their investigation. The DPA found that the processor did not have in place a system to perform regular vulnerability scanning in relation to the breached systems. The DPA noted that this practice was in stark contrast to the advice issued by the National Cyber Security Centre (NCSC). The DPA found that the processor had infringed the obligation to adopt appropriate technical and organisational safety measures in Article 32(1)(b) UK GDPR in failing to implement comprehensive and regular vulnerability scanning in their systems. The investigation also revealed that the attainment of administrator privileges was expl
National Law Articles
Advanced Computer Software Group Ltd. (data processor) is a software company providing IT and software services to organisations including the NHS in England. In August 2022, the processor suffered a cyber-attack whereby the threat actor obtained access to their internal systems. This was achieved through the provision of a correct username and password through a customer account, allowing the actor to disable the antivirus measures and obtain domain administrator privileges. The threat actor was able to gain access to 19GB of data. This caused widespread disruption to NHS services. The processor had to take multiple systems offline in order to re-build them. In May 2023, the final data controller was reconnected. The personal data of a total of 82,946 individuals was compromised, with some of the data relating to deceased individuals, leaving a total of 79,404 individual’s personal data having been exfiltrated. This number includes the special category data of 41,196 data subjects. The personal data was comprised of demographic and contact information, employment related information, medical and health related information, and other special category information including racial or ethnic origin and religious or philosophical beliefs. Following report of the disruption to NHS services, the ICO (United Kingdom DPA) contacted the processor and launched their investigation. The DPA found that the processor did not have in place a system to perform regular vulnerability scanning in relation to the breached systems. The DPA noted that this practice was in stark contrast to the advice issued by the National Cyber Security Centre (NCSC). The DPA found that the processor had infringed the obligation to adopt appropriate technical and organisational safety measures in Article 32(1)(b) UK GDPR in failing to implement comprehensive and regular vulnerability scanning in their systems. The investigation also revealed that the attainment of administrator privileges was expl
Related Enforcement Actions (0)
No other enforcement actions found for Advanced Computer Software Group Limited in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
26 March 2025
Authority
Information Commissioner's Office
Fine Amount
€3,599,294
3,076,320 GBP
GDPRhub ID
gdprhub-9091About this data
Cite as: Cookie Fines. Advanced Computer Software Group Limited - United Kingdom (2025). Retrieved from cookiefines.eu
Last updated: