- The 35+ best Amazon Spring Sale Apple deals: iPhones, Apple Watches, iPads, and more
- How Digital Signatures Provide the Necessary Safeguards to Restore Trust in The Manufacturing Process
- I found the best Amazon Spring Sale fitness tracker deals worth shopping
- The 30 best Amazon Spring Sale laptop deals 2025
- Effective Cyber Drills Must Mirror the Realities of The Battlefield
No MFA? Expect Hefty Fines, UK’s ICO Warns
A lack of multi-factor authentication (MFA) which leads to a preventable data breach could result in substantial financial penalties, the Information Commissioner’s Office (ICO) has warned.
The ICO’s Deputy Commissioner Stephen Bonner told Infosecurity there is no longer any excuse for not deploying MFA across all external connections.
“It’s now a well-developed and mature technology that can be deployed relatively straightforwardly, and the benefits far outweigh any costs,” he noted.
“We want to add to the costs of not doing it by having this kind of consequence [financial penalties] being there,” Bonner added.
MFA Failings Result in Advanced Ransomware Breach
Bonner’s comments followed the ICO’s announcement that it had fined IT software provider Advanced £3.07m ($3.97m) after a 2022 ransomware attack that put the personal information of 79,404 people at risk.
Advanced provides data processing services to a range of organizations, including the NHS and other healthcare providers. The incident resulted in significant disruption to health services in the UK, including the NHS 111 helpline.
The compromised data included details of how to gain entry into the homes of 890 people who were receiving care at home.
Hackers were able to access systems of Advanced’s health and care subsidiary via a customer account that did not have MFA implemented.
Bonner revealed that the ICO’s investigation found that Advanced may not have fully rolled out MFA across its external accounts due to concerns that customers may have objected to the extra authentication method.
Such concerns are not a legitimate reason for not implementing MFA, Bonner emphasized.
“If you’re entrusted with this kind of data, there’s a minimum set of standards you have to achieve, and this is absolutely one of them,” he stated.
Other security failings that enabled the attack to succeed included a lack of comprehensive vulnerability scanning and inadequate patch management.
These failings also contributed to the large penalty issued, according to the ICO.
This is the first time the ICO has fined a data processor, with the regulator keen to send a message to these providers about their security obligations.
Advanced Fine Reduced Following Engagement
The ICO had announced a provisional £6.1m ($7.9m) fine for Advanced for the data breach in August 2024.
This penalty was halved after the ICO and Advanced reached a voluntary settlement, in which the IT provider agreed to pay the £3.07m penalty without appealing.
The ICO identified Advanced’s proactive engagement with government agencies, including the National Cyber Security Centre (NCSC) and National Crime Agency (NCA), and victims, including the NHS, as a major factor in the fine reduction.
Bonner explained that this approach helped reduce the harm to those individuals and organizations who were impacted by the breach.
“That is exactly the behavior we want to encourage and one key message to take away from this is that there’s a lot of good financial reasons to engage correctly with the authorities,” he noted.
Bonner added that reaching a voluntary settlement is in the wider public interest as it draws the case to a close without costly appeals and delays.
ICO Warns That Bigger Fines Will Come
The UK’s Information Commissioner John Edwards has previously outlined his belief that the levying of fines is not necessarily an effective way of improving data protection practices, serving only to tie up the Information Commissioner’s Office (ICO) in litigation.
This is an approach that differs significantly from regulators in the EU, who have frequently issued fines worth hundreds of millions for data protection failings over recent years.
The ICO’s primary focus is to work with organizations to ensure that damaging incidents do not occur.
Issuing fines is “not our first choice” when breaches do occur, Bonner said.
However, he acknowledged that fines are sometimes necessary when there are serious consequences for people’s data.
One positive outcome from issuing financial penalties is that it can focus business leaders’ minds, potentially leading to more resources for cybersecurity.
Bonner said: “We find that fines make headlines, the coverage gets lots of attention and that puts it on the radar of boards across organizations, leading them to ask their organization, could this happen to us?”
Sending a message around implementing basic security controls such as MFA was a significant factor in the penalty handed to Advanced.
Bonner warned organizations that they can expect fines to increase in the future in cases like this where basic controls have not been implemented.
“This fine acts as dissuasive and effective message to the whole economy,” he commented.
