News
Print Article

£3.07 million for security failings - ICO issues its first-ever processor fine under UK GDPR

25/04/2025

Last month, the ICO issued its first-ever monetary penalty notice (“MPN”) against a processor..

Advanced Computer Software Group (“Advanced”) were fined £3.07 million for security failings identified following a ransomware attack that impacted NHS systems.

The decision to impose a fine directly against a processor rather than a controller is notable as it:

  • Emphasises that processors have direct statutory obligations under UK GDPR,
  • Clarifies regulatory expectations around the appropriateness of security measures, and
  • Could have implications for contractual negotiations in the future.

The details of the events, the MPN and its implications are below.

The ransomware attack

  • In August 2022, hackers accessed Advanced’s health and care subsidiary systems via a customer account unprotected by multi-factor authentication (“MFA”).
  • The affected data included health data, national insurance numbers, and details on how to enter the homes of 890 people receiving care at home.
  • The attack brought parts of the NHS 111 service to a standstill, leaving doctors and other healthcare professionals unable to access patient records.
  • Overall, the attack directly impacted 16 controller customers and put the personal data of 79,404 people at risk.

ICO findings

  • The ICO found that Advanced had breached Article 32 of the UK GDPR for failing to implement appropriate technical and organisational measures to ensure the security of personal data. In particular, the ICO criticised the gaps in Advanced’s deployment of MFA, its lack of comprehensive vulnerability scanning, and inadequate patch management.
  • The ICO cited many aggravating factors that contributed to the seriousness of the fine, including Advanced’s size and the volume/nature of the personal data processed.
  • The ICO also emphasised how security measures must cover the entire data lifecycle from the point of collection through to deletion.
  • For example, a key point of criticism was that, even though Advanced had installed MFA to protect the vast majority of its records, its lack of complete coverage meant hackers could still gain access.
  • More generally, this fine illustrates that the ICO does not just recommend MFA and appropriate vulnerability management controls; they are nowadays perceived as essential in many circumstances.

Negotiating the fine

  • In August 2024, the ICO announced its intention to issue an Advanced with a provisional fine of just over £6 million.
  • Subsequently, the ICO considered representations made by Advanced in response to the notice of intent. In its final decision, the ICO determined that the appropriate adjustment for seriousness was 65% of the statutory maximum (£8.7 million) because there was no evidence of actual harm to data subjects.
  • The ICO further reduced the fine by 15% to reflect Advanced’s “proactive engagement” with the NHS and various security authorities in the wake of the attack, along with other steps Advanced took to mitigate the risk to those impacted.
  • Finally, the ICO reduced the penalty by 20% in light of Advanced’s agreement not to appeal the fine.
  • The final settlement figure of £3 million represents almost half of what the ICO originally announced in the notice of intent.

What can we learn from this decision?

  • Advanced is the first processor to be fined by the ICO.
  • This may be a one-off decision triggered by the specific facts of the breach, including the ICO preferring to go after Advanced as the party with the deeper pockets rather than the NHS as a public body.
  • However, even if this is the case, this decision may change the dynamic of controller-processor contract negotiations.  
  • Controller organisations are held responsible for data breaches, including civil liability for damages awarded to individuals and administrative fines imposed. By contrast, processors have not historically been in the direct firing line for any such hit.
  • When negotiating data processing agreements, it is therefore quite common for controllers to argue that the processor is not exposed from a regulatory enforcement perspective.
    • This decision reminds us that this is not the case; rather, the ICO (and other regulators) can fine or sanction processors directly where there is a breach of a statutory obligation that applies to them.
    • Under the UK GDPR, processors can be held equally, if not more, liable than controllers, depending on the parties’ respective negligence and culpability for the loss or damage caused.
  • A key issue not raised in the decision but has unsurprisingly been the subject of media attention is whether Advanced's customers (including the NHS) should take some responsibility for this breach, having perhaps carried out substandard due diligence on Advanced.
  • The ICO’s decision clarifies that the obligations on the controllers (i.e., Advanced’s customers) should be considered separately from Advanced’s responsibilities as a processor.
  • Regardless, this fine emphasises the importance of exercising care when contracting with processors and creating readiness plans for a processor breach.
  • Although the NHS did not face a hefty fine following Advanced’s breach, the cybersecurity attack was widely reported and undoubtedly caused reputational damage.

Conclusion

  • It remains to be seen whether this fine is unique based on its facts or whether this indicates a general willingness from the ICO to issue more penalties against processors in the future.
  • Regardless, this decision could have implications for controller-processor contractual negotiations, shifting the dynamic between the parties and removing any perceived safety blanket for processors regarding the enforceability of their statutory obligations.

Source

https://inquisitiveminds.bristows.com/post/102k8rt/ico-issues-its-first-ever-processor-fine-under-uk-gdpr

UNITED KINGDOM FINES DIGITAL TRUST

The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more

Gallery

View our latest imagery from our news and work

Find out more

Contact

Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.