Implement MFA or Risk Non-Compliance With GDPR

Implement MFA or Risk Non-Compliance With GDPR

August 7, 2024 at 11:12AM

The UK’s Information Commissioner’s Office has announced its intent to fine the Advanced Computer Software Group £6.09 million due to a ransomware attack on the National Health Service. Personal data of 82,946 patients was compromised, causing disruption to the 111 call service. The attack was linked to inadequate security measures, emphasizing the criticality of multi-factor authentication.

From the meeting notes, it is clear that the UK Information Commissioner’s Office (ICO) has announced its intention to fine the Advanced Computer Software Group £6.09 million due to a ransomware attack against the National Health Service (NHS) in August 2022. Personal details of 82,946 patients were exfiltrated, and the 111 (non-emergency) call service was disrupted. The stolen details also included information on how to gain access to the homes of 890 people being treated at home.

The ICO’s findings are provisional, and the investigation has concluded that attackers accessed Advanced health and care systems via a customer account that did not have multi-factor authentication. The intention to fine serves as a warning to other organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication, and keeping systems up to date with the latest security patches.

The UK Information Commissioner, John Edwards, emphasized the importance of multi-factor authentication (MFA) for organizations, especially those handling sensitive health data. It is clear that the implication is to avoid non-compliance by implementing MFA, regular vulnerability scans, and an effective patching regime. Additionally, it was noted that a Russian cyber gang is thought to be behind the ransomware attack that hit London hospitals and that the investigation of the Russian hack on London hospitals may take weeks.

Full Article