United Kingdom
Advanced Computer Software Group Ltd
3,500,000 €
GDPR enforcement action by Information Commissioner (ICO) on 2025-03-26.
Rank · Sector
#2
of 270 in Health Care
Rank · United Kingdom
#9
of 28
Rank · All fines
#92
of 3,050
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2025-03-26
- Controller / Processor
- Advanced Computer Software Group Ltd
- Sector
- Health Care
- Quoted Articles
- Art. 32 (1) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The UK DPA (ICO) has fined Advanced Computer Software Group Ltd £3.07 million (EUR 3.5 million) for insufficient IT security (infringiment of Art. 32 (1) UK GDPR). The controller failed to implement appropriate technical and organisational measures to protect personal data. A ransomware attack in August 2022 allowed hackers to access systems of a health subsidiary via a customer account that lacked multi-factor authentication. As a result, the personal data of 79,404 individuals was put at risk.
Open original source
Links to the regulator's original publication or another source.
Related fines
United Kingdom
2020-10-16
22,046,000 €
ETid-58
British Airways
Transportation and Energy
United Kingdom
2020-10-30
20,450,000 €
ETid-60
Marriott International, Inc
Accomodation and Hospitality
United Kingdom
2026-02-23
16,610,000 €
ETid-3074
Reddit, Inc.
Media, Telecoms and Broadcasting
United Kingdom
2023-04-04
14,500,000 €
ETid-1730
TikTok
Media, Telecoms and Broadcasting
United Kingdom
2025-10-15
9,180,000 €
ETid-2898
CAPITA PLC
Industry and Commerce
United Kingdom
2022-05-18
9,000,000 €
ETid-1190
Clearview Al Inc.
Industry and Commerce