£3 Million Fine for LockBit Ransomware Victim Advanced Software

The UK ICO has issued a £3 million levy to British IT service provider Advanced Software over the company’s poor security posture during an encounter with hackers in 2022.

Advanced Computer Software Group Ltd. (also known as OneAdvanced per its website branding) is an IT service provider based in Birmingham, West Midlands.

The firm serves major clients across the United Kingdom, Ireland, India, Australia, Canada and the United States, providing an assortment of information technology services, including hosting and cloud.

As of 2016, Advanced is the third-largest software provider in the UK, employing over 2,400 people with a customer base of more than 20,000 organizations.

Notably, it is a major service provider to England’s National Health Service (NHS) and other healthcare organizations, and processes people’s personal information on behalf of these organizations – which is where its troubles with the ICO stem from.

Compromised the data of 80,000 people

“We have fined Advanced Computer Software Group Ltd (Advanced) £3.07m for security failings that put the personal information of 79,404 people at risk,” reads a strong opening to the ICO’s press release announcing the penalty dealt to the service provider.

The levy equates to around 3.9 million US dollars or 3.6 million euros.

The penalty relates to a cyber incident in August 2022, when members of the notorious LockBit ransomware operation breached a subsidiary of Advanced’s by compromising an account that did not have multi-factor authentication (MFA) enabled.

The attackers ended up stealing the personal information of 79,404 people, “including details of how to gain entry into the homes of 890 people who were receiving care at home,” according to the ICO.

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” said John Edwards, Information Commissioner.

“While Advanced had installed multi-factor authentication across many of its systems, the lack of complete coverage meant hackers could gain access, putting thousands of people’s sensitive personal information at risk.”

A lenient sanction

Considering the ICO’s provisional intention last year to fine Advanced £6.09 million, the revised £3 million charge is considered somewhat merciful.

The watchdog reviewed the company’s response to the decision and found several factors that justified a more indulgent penalty.

“Several factors from these representations led to a reduction in the fine, including Advanced’s proactive engagement with the National Cyber Security Centre (NCSC), the National Crime Agency (NCA) and the NHS in the wake of the attack and other steps taken to mitigate the risk to those impacted,” according to the ICO.

The company acknowledged the regulator’s decision to impose the reduced fine and agreed to pay a final penalty of £3,076,320 without appealing.

“Today’s decision is a stark reminder that organizations risk becoming the next target without robust security measures in place,” Edwards stressed.

According to the ICO, organizations must take proactive steps to combat cyber-threats, “such as implementing comprehensive MFA (or an equivalent measure), regularly scanning for vulnerabilities and keeping systems up to date with the latest security patches.”

Protect your office (don’t be next)

If you sell IT or consulting services to third parties, carefully review your cybersecurity posture to avoid a similar fate.

As we note in our guide Small Office, Big Threats: 7 Ways to Cyber-Proof Your Business in 2025, running even a small firm comes with big risks.

Between managing supply, marketing strategies, operations, and customer relationships, it’s easy to overlook cybersecurity. But ignoring it can be costly. For a small business, a run-in with hackers can spell bankruptcy.

Bitdefender strongly recommends deploying a dedicated security solution on your network to stem the chances of a successful breach.

Bitdefender Ultimate Small Business Security is an extended version of our consumer-friendly security suite, designed specifically for small firms. It includes malware detection, ransomware prevention, email protection, account breach protection, scam protection, and VPN. It can be administered by anyone in your organization thanks to a natural, intuitive dashboard designed for use even by non-techies.