In the last few weeks, the ICO has issued a number of fines to businesses for data protection failures which came to light following cyber attacks by threat actors.

The ICO’s findings in these cases, following their investigations, have given rise to some important considerations for data controllers and processors. We consider those findings, and their implications for all businesses which handle sensitive data, below.

NHS cyber attack

In August 2022, a data breach affecting the NHS made headline news. The affected company was Advanced Computer Software Group Ltd (Advanced) which provided services to the NHS.  Attackers breached Advanced’s systems via an account which did not have multi-factor authentication (MFA) in place, allowing the threat actor to conduct a ransomware attack. The attack led to the disruption of some critical NHS services and left some healthcare staff unable to access patient records or check-in patients.  

In its investigation, the ICO found that there were security failings that put the personal information of 79,404 people at risk, and much of the data affected was of a sensitive nature. Around half of the data subjects had special category data affected, and the attackers accessed information which would allow access to the homes of around 900 data subjects receiving care at home. The information affected was of significant concern to the ICO.  The wide impact of the attack was also a consideration in respect of the fine levied – critical systems and numerous data controllers were seriously affected during the attack.

The ICO announced a provisional intention to fine £6.09m. Following representations from Advanced, and in light of the proactive engagement by Advanced following the attack, the ICO agreed to settle at a fine of £3.07m, which Advanced will not appeal.  

Organisations which routinely handle sensitive category data, or work with key infrastructure or critical service providers should be mindful of the higher risk which a cyber attack presents to their business. The financial consequences can be significant in the event of an ICO investigation.  

Law firm cyber attack

A Merseyside-based law firm has suffered a similar fate, falling victim to a cyber attack, and subsequently being fined by the ICO. DPP Law Ltd was attacked in June 2022 through an infrequently used admin account that was used to access a legacy case management system. That enabled the attackers to move laterally across DPP’s network and take over 32GB of data. 

As a criminal defence and family law firm, the data held and affected by the attack was of a highly sensitive nature, including special category data, DNA data, legally privileged information, criminal allegations, court pleadings, and evidence (such as police body cam footage). Although the attack was uncovered in June 2022, evidence was later uncovered which suggested that the attack had begin as early as February 2022.

Factors which were not in DPP’s favour included the fact it had not identified the personal data compromise until the National Crime Agency contacted the firm to advise it that information relating to its clients had been posted on the dark web. Once aware of the issue, DPP primarily dealt with its IT issues, and did not consider that the loss of access to personal data was a reportable breach.  A report was only made to the ICO 43 days after discovery, far outwith the statutory 72 hour timeframe. The ICO also noted that DPP did not have Cyber Essentials in place, as well as various technical safeguards, including password protection and limits on administrator accounts.  

The very sensitive nature of the affected information raised high risks for the affected clients, possibly jeopardising ongoing proceedings, identifying clients who were subject to charges, and identifying witnesses and victims (including children and victims of sexual offences). The ICO specifically commented on the fact that referring the affected data subjects to the NCA’s guidance on staying safe online is not a mitigation – and is the minimum the ICO will expect. The fine was ultimately set at £60,000. 

This is another reminder of the higher level of security expected of organisations handling sensitive data, and a reminder of the importance of prompt identification of breaches and notification to the ICO.  

23andMe

The ICO has also recently provided an update on an investigation into 23andMe, a global direct-to-consumer genetic testing company, where a notice of intent to fine £4.59m had been announced. This investigation is joint between the ICO and the Office of the Privacy Commissioner of Canada, and has been ongoing since the data breach occurred in October 2023. The information held by 23andMe includes significant amounts of genetic information, which is of the most sensitive nature. 23andMe has now filed for Chapter 11 bankruptcy in the US, apparently to facilitate a sale process. The ICO has confirmed it will continue to monitor the situation and reiterated that the UK GDPR continues to apply to 23andMe.  

Lessons for businesses

After a period of minimal fines being issued, this is an important reminder of the ICO’s ability to issue significant fines.  It is critical for businesses to be on top of their security risks and infrastructure, and also to be in a position to respond to a breach effectively.  

Both Advanced and DPP were the unfortunate victims of a cyber attack, and faced significant IT and business continuity issues, as well as the implications of a personal data breach.  Nonetheless, this is a salutary reminder that the risks, and potential financial exposure, for a company which has endured a cyber attack can extend well beyond the end of the attack itself.  An ICO investigation can take a long time (two of the three investigations noted above exceeded 2.5 years in length, and the third is still ongoing after 18 months), incur significant time and expense, and lead to substantial fines. These decisions also emphasise the weight the ICO places on appropriate safeguards, such as Cyber Essentials and MFA, and prompt notification to the regulator. Companies should therefore conduct regular audits, and seek advice, to ensure they are taking all reasonable measures to protect themselves, and the data they hold, from the constant threat of cyber incidents.

Burness Paull’s leading cyber security, data protection and group litigation experts have significant experience in managing cyber security risks, including ransomware attacks, and best practices. Our team are on hand to support you on your cyber resilience journey, from implementing protective measures to handling a full-scale incident. Please get in touch with any of our team to discuss your needs.

The team are also running their annual spring webinar series over the coming weeks, looking at current data governance issues. With a session on priorities of the ICO and navigating regulatory risk, it is a must attend for all organisations handling sensitive and personal data. Find out more about the series and register your place here. 

Related News, Insights & Events