UK’s Advanced Faces 6M Pound Find After LockBit Attack

A British IT services company whose ransomware attack and data breach in 2022 disrupted a national urgent care medical helpline now faces the prospect of a nearly $8 million fine.

See Also: Demostración Del Producto: Backup Y Recuperación De VM

U.K. data regulator the Information Commissioner’s Office said in announcement timed for just after Tuesday midnight that it has “provisionally decided” to fine Advanced Computer Software Group 6.09 million pounds for failing to implement appropriate security measures for safeguarding personal data.

Hackers stole personal information belonging to 82,946 individuals. Stolen data included phone numbers, medical records, and “details of how to gain entry to the homes of 890 people who were receiving care at home.”

The data does not appear to have been posted online or the dark web. Advanced may contest the findings and the fine. “The Commissioner will carefully consider any representations Advanced make before making a final decision,” the ICO said.

In an emailed statement, a company spokesperson said it has “cooperated fully with the ICO investigation over the past two years and will respond to their provisional findings.”

A ransomware attack on the Birmingham company that began Aug. 2, 2022, forced the National Health Service into activating business continuity processes after some medical practices were unable to access patient records. Advance’s Adastra system underpins the National Health Service 111 non-emergency line and other healthcare services. The Welsh ambulance service warned the public of “a major outage” of a computer system used to refer patients from NHS 111 to out-of-hours general practitioners (see: Ransomware Attack Caused NHS IT Outage, Says Vendor).

Post-incident analysis found hackers deployed the LockBit 3.0 cryptolocker malware. They obtained access to Advanced networks using legitimate third-party credentials to start up a remote desktop session to the company’s Staffplan Citrix server, a system used to schedule caregiver shifts.

After that initial penetration, hackers were able to move deeper into Advanced infrastructure while also escalating their privileges, the company said in October 2022.

Hackers stole data belonging to 16 NHS trust clients of Advanced patient caregiver management solutions Staffplan and Caresys. “Patient data controlled by NHS Trusts was not impacted and our ongoing monitoring confirms that there is no evidence of fraud or misuse,” the Advanced spokesperson said Tuesday.

The hacking’s effects were amplified by Advanced’s breach response, which was to disconnect the company’s “entire Health and Care environment.”

That had the effect of containing the threat, but also of locking out customers in an outage that spilled to “limited number of non-health and care environments and services, such as eFinancials,” said the company’s post-hack analysis.

Information Commissioner John Edwards said he is publicizing the provisional fine “as it is my duty to ensure other organizations have information that can help them to secure their systems and avoid similar incidents in the future.”

With reporting by Information Security Media Group’s Marianne Kolbasuk McGee in the Boston exurbs