Software program provider Superior Laptop Software program Group faces a possible superb of £6.09m for an alleged failure to implement applicable cyber safety measures to guard the delicate private knowledge of 82,946 folks, which was stolen by the LockBit ransomware gang following an assault on its methods in August 2022.
The cyber assault on Superior precipitated in depth disruption to NHS trusts and different social care our bodies that used its Caresys care residence administration, Staffplan care rostering, and Adastra scientific affected person administration companies. The largest fast influence seen was to customers of the Adastra service underpinning the NHS’s 111 recommendation service.
LockBit – which was taken down by the UK’s Nationwide Crime Company (NCA) earlier in 2024 – was later discovered to have accessed Superior’s community utilizing authentic credentials on a third-party account which didn’t have multifactor authentication (MFA) enabled.
This account was used to ascertain a distant desktop protocol (RDP) session on a Staffplan Citrix server, from the place they had been in a position to transfer laterally by way of Superior’s setting to raise their privileges, exfiltrate delicate knowledge together with affected person medical data and cellphone numbers, and execute their ransomware locker.
“This incident reveals simply how essential it’s to prioritise data safety. Dropping management of delicate private data can have been distressing for individuals who had no alternative however to place their belief in well being and care organisations,” mentioned data commissioner John Edwards.
“Not solely was private data compromised, however we have now additionally seen stories that this incident precipitated disruption to some well being companies, disrupting their means to ship affected person care. A sector already underneath strain was put underneath additional pressure as a result of this incident.
“For an organisation trusted to deal with a big quantity of delicate and particular class knowledge, we have now provisionally discovered critical failings in its method to data safety previous to this incident,” Edwards continued.
“Regardless of already putting in measures on its company methods, our provisional discovering is that Superior did not hold its healthcare methods safe. We count on all organisations to take elementary steps to safe their methods, similar to repeatedly checking for vulnerabilities, implementing multi-factor authentication and retaining methods updated with the most recent safety patches.”
Edwards burdened that the ICO’s findings are, at this stage, provisional, and no conclusion needs to be drawn as as to whether or not there was a breach of knowledge safety legislation, and even {that a} superb can be imposed. As a part of the investigation course of, Superior has the precise to make thought-about representations earlier than a remaining determination is taken. If the organisation is finally fined, the quantity could properly change.
Edwards mentioned he was selecting to publicise the provisional ICO determination as he had an obligation to make sure different organisations have applicable data to allow them to safe their methods and keep away from related incidents sooner or later. He urged all organisations, particularly these dealing with delicate well being knowledge, to urgently safe exterior connections and impose MFA insurance policies throughout the board.
The ICO identified that though knowledge processors similar to Superior act on the directions of their purchasers, the information controllers – on this case the NHS – which have total management over how the information is used, processors nonetheless have a authorized obligation to implement applicable safety measures to maintain it secure. This contains taking steps to evaluate and mitigate danger, conducting vulnerability scanning on their IT property, implementing MFA, and retaining methods up to date.
A spokesperson for Superior, which now trades as OneAdvanced, informed Laptop Weekly the organisation had notified the ICO in August 2022 that it had been the goal of a ransomware assault, and had cooperated absolutely with its investigation over the previous two years. They acknowledged the regulator’s Notification of Intent (NoI) setting out its provisional findings and alluring it to make representations following this, which it intends to do.
“We supported clients all through the incident and might affirm that no knowledge was ever made obtainable publicly. Affected person knowledge managed by NHS Trusts was not impacted and our ongoing monitoring confirms that there isn’t any proof of fraud or misuse. There was no influence to any of Superior’s different customer-serving methods.”
“We apologise to our clients. It’s wholly regrettable that risk actors disrupted our companies on this incident. We worth our clients within the healthcare sector and take our duty to them and their sufferers and communities very severely. Cyber safety continues to be a major funding all through our enterprise, we proceed to adapt and evolve our response to the ever-changing cyber safety threats and challenges.
