Advanced Computer Software Group, a vendor of the UK's National Health Service, has been ordered by the Information Commissioner's Office to pay a $3.95 million penalty following its failure to adequately defend its systems from a LockBit ransomware attack in 2022, which led to the exfiltration of data belonging to 79,404 individuals, reports The Register.
Despite being lower than the $7.8 million provisional fine stated by the ICO in August, such a penalty which was agreed upon after the vendor's cooperation with the National Cyber Security Centre, National Crime Agency, and NHS, as well as its pledge to avert further data security risks is still the largest in two years and the sixth largest in the history of the ICO. ICO Commissioner John Edwards revealed that Advanced had failed to ensure total multi-factor authentication coverage across its systems. "With cyber incidents increasing across all sectors, my decision today is a stark reminder that organizations risk becoming the next target without robust security measures in place," said Edwards.
