On 26 March 2025, the Information Commissioner’s Office (ICO) announced a substantial fine of £3.07 million on Advanced Computer Software Group (ACSG). This enforcement action merits close attention from all organisations processing personal data within GDPR jurisdictions such as the UK and the EU in particular.

A Rare Exercise of the ICO’s Fining Powers

The ICO has for some time been hesitant to exercise its fining powers under GDPR, especially compared to European counterparts. This recent fine is therefore particularly noteworthy, and it wouldn’t be crazy to speculate that we might not get another one of these for the rest of the year.

In addition, in this case ACSG was fined in its capacity as a data processor rather than a controller. This serves as an important reminder that processors bear direct statutory obligations under GDPR and can be held independently accountable by regulators.

The Breach and its Impact

Between 2-4 August 2022, ACSG suffered a ransomware attack that resulted in unauthorised access to and exfiltration of personal data belonging to approximately 82,946 individuals. The severity of this breach was heightened by the nature of the compromised information, which included special category data, including health data, from NHS patient records systems. Most alarmingly, the accessed data contained home entry details for 890 vulnerable patients.

Security Failures Identified

The ICO’s investigation determined that ACSG had failed to implement appropriate security measures as required by Article 32 of GDPR. The regulator found that ACSG had been negligent in fulfilling its security responsibilities in several key areas:

1. Despite processing significant volumes of sensitive data including medical records, ACSG failed to adequately scan its systems for vulnerabilities—in some instances contravening its own internal policies.
2. ACSG had been notified of the vulnerability exploited in the attack by a Microsoft alert in August 2020, followed by a specific alert from the National Cyber Security Centre in September 2020 warning that the vulnerability was being actively exploited. Despite nearly two years’ notice, ACSG failed to patch this known security gap.
3. The company neglected to implement Multi-Factor Authentication (MFA) on its public-facing environment, which would have prevented the initial unauthorised access. Though ACSG possessed the technical capability and existing MFA solutions, full implementation was postponed due to concerns about customer resistance.

Key Lessons for Organisations

This enforcement action offers several valuable lessons for all organisations processing personal data:

• Processor Accountability: Data processors have independent obligations under Article 32 of GDPR to implement appropriate security measures and will be held directly accountable by regulators for failures.
• Policy Implementation: Simply having security policies is insufficient; organisations must ensure these policies are effectively implemented and followed. Failure to adhere to one’s own policies will be considered an aggravating factor in regulatory assessments, particularly where that failure results in a data breach or other incident.
• Vulnerability Management: Organisations must establish robust systems for tracking and promptly applying security patches. The nearly two-year delay in addressing a known vulnerability significantly contributed to the severity of the eventual fine, with the ICO finding ACSG to have been negligent.

QUESTIONS? 

If you have any questions about the topics discussed, please reach out to your Bortstein Legal Group attorney or Jemille Gibson at jgibson@blegalgroup.com.