Introduction
On 26th March 2025, a penalty notice for over £3 million was released by the Information Commissioner’s Office (ICO). This followed an investigation of a security incident that started on 22nd August 2022, with final recovery actions taking place on 23rd May 2023 and impacted services such as NHS 111 and NHS Trusts. This penalty notice is important to understand as it can help us prevent similar incidents and also learn more about penalties relating to data protection. In this article, we review the incident, understand the cost to recover, identify key areas of learning, and the associated benefits of Cyber Essentials.
Incident Overview
In August 2022, a threat actor gained unauthorised access to the IT environment of a group of organisations via a remote access capability and (at least one) unpatched device. They navigated through the network, exfiltrated data, and executed a ransomware attack. The impact was significant, affecting the attacked organisations, as well as many other entities, including NHS Trusts and ~80,000 people. Key learnings relate to the implementation of multi-factor authentication, timely patch management, and vulnerability assessments. These same controls are required as part of the Cyber Essentials scheme and can prevent common forms of cyber attack.
Ransomware Attack Chain
- Ransomware is an attack favoured by threat actors – a point of weakness is exploited, access is gained, and infection takes place.
- A ‘command and control’ situation can occur, to orchestrate further action, typically involving the infection of other devices and the covert copying or moving of data.
- By encrypting systems and data in place, a bad actor can impact the operations, further threaten the impacted organisation, and add leverage that the data has been exfiltrated.
- The more valuable the data, the more leverage the threat actor may have.
An illustration of a common ransomware attack chain is shown below.
Data Breach
The report states that the threat actor gained access to personal data (such as names, addresses, telephone numbers, and email addresses) and sensitive data (relating to medical records and information on how to access the homes of nearly 900 people). This could lead to a series of further impacts, including identity theft, financial loss, emotional distress, and safety concerns.
Impact and Cost
The public release document provides insight and information:
- The personal data of 79,404 data subjects was exfiltrated, of which 41,196 had special category data exfiltrated.
- Major impact for the organisation attacked, with 395 endpoints impacted by ransomware and 9 months to recover systems.
- Overall costs for the incident and remediation in excess of £21 million.
- Supply chain: Other organisations are also impacted through the supply chain. Oxford Health NHS Foundation Trust reported, “The incident was upgraded to a Trust-wide Critical Incident… a national incident affecting a number of other NHS organisations. This cyber incident placed a huge burden on colleagues… many of whom have worked considerably in excess of their contracted hours to deliver services.”
Key findings
Article 32 of the UK Data Protection Act 2018 (UK GDPR) refers to appropriate measures being in place relating to the protection of data. The ICO review determined there was:
- “A failure to undertake adequate vulnerability scanning within the environment.”
- “A failure to have adequate patch management in place to ensure the ongoing confidentiality, integrity, and availability of data.”
- “A failure to implement multi-factor authentication in the environment.”
ICO statements made in conjunction with the penalty notice include:
“Today’s decision is a stark reminder that organisations risk becoming the next target without robust security measures in place. Organisations must be taking proactive steps to assess and mitigate risks, such as implementing comprehensive MFA (or an equivalent measure), regularly scanning for vulnerabilities, and keeping systems up to date with the latest security patches”
This penalty notice, therefore, serves as a helpful reminder that Data Processors can be subject to heavy penalties where deficiencies in their security measures have caused or contributed to a data breach.
Links with Cyber Essentials
- Cyber Essentials focuses on the implementation of five technical controls, including multi-factor authentication and timely patching of critical and high-risk vulnerabilities.
- The ICO report references the Cyber Essentials scheme, setting out the requirement to address critical and high-risk vulnerabilities and the recommendation for MFA for services where it’s available.
- Based on a review of the notice, it’s also apparent that part of the organisation attacked had been certified for Cyber Essentials Plus; however, the attack took place through another part of the organisation, which was not certified (and did not have the same level of technical controls applied).
- Supply chain risk can be managed by mandating that suppliers and partners are Cyber Essentials certified.
Lessons Learned
- Vulnerability scanning: Having a way to identify weaknesses (such as the vulnerability assessment carried out as part of Cyber Essentials Plus) can help avoid data breaches and reduce the risk of heavy fines
- Patch management: Patching critical vulnerabilities in a timely manner (as required by Cyber Essentials controls) is an essential risk reduction control, especially on external/public-facing services
- Multi-factor authentication: Implementing MFA where available is another technique to help prevent common forms of cyber attack and is also a requirement of the Cyber Essentials scheme
- Whole Organisation: Applying controls to the ‘whole organisation’, rather than part of the organisation, can help reduce risk and prevent common forms of cyber attack, such as ransomware
- Supply Chain Management: Operational impact can be managed by mandating Cyber Essentials in the supply chain
- Data Protection is crucial for organisations – penalties can be issued to Data Controllers, as well as Data Processors
- Penalty notice: advanced-penalty-notice-20250327.pdf
Conclusion – How a Cyber Security Incident Led to a £3 million Penalty, and Over £21 million in Recovery Costs
A penalty notice of over £3 million was issued by the ICO on 26th March 2025, relating to a security incident between August 2022 and May 2023, costing the impacted organisation in excess of £21 million. The initial point of attack was linked to remote access weaknesses and a lack of patching. The impact was significant, affecting the organisation and others in the supply chain, including NHS 111 and various NHS Trusts. Personal data (names, addresses, telephone numbers, email addresses) and sensitive data (medical records and information on how to access people’s homes) were exposed. The ICO identified that appropriate measures were not in place to protect the data, issuing a penalty notice to a Data Processor. This is a reminder that Data Processors as well as Data Controllers must comply with Article 32 of the UK GDPR. Controls related to multi-factor authentication, patch management, and vulnerability scanning were found to be insufficient. The Cyber Essentials scheme requires five key technical controls to prevent common forms of cyber attack, such as ransomware—these include multi-factor authentication and vulnerability fixes.
How We Help
At RB Consultancy Ltd, we support organisations looking to implement controls and/or certify to Cyber Essentials and Cyber Essentials Plus requirements:
- NCSC Cyber Advisor certified – we’re proven to help organisations understand and implement technical controls
- Vulnerability Assessment Plus certified – we have skills and tools to identify weaknesses, risk rank findings to support prioritisation, and provide remediation advice to enable swift action to be taken
- IASME Cyber Essentials Plus Assessor certified – we’ve been tested to assess organisations against the requirements and provide advice on how to apply fixes
- Cyber Essentials Plus Certification Body certified – we’re trusted to issue certificates to organisations that have met the required standards
If you would like assistance with implementing controls or with Cyber Essentials / Cyber Essentials Plus certification, contact us for support.
Written by Remo Belisari, Managing Director of RB Consultancy Ltd, an experienced cyber security professional cyber advisor. Remo holds certifications relating to CISSP, ISSAP, ISO 27001, Cyber Essentials, IASME Cyber Assurance, and has many years experience in IT and cyber security. Remo has a history of supporting organisations from all over the world – including a Fortune 500 in USA and over 100 organisations across the UK. The views expressed in this blog are those of the author and do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliated organisations. The content is intended for general information only and should not be taken as legal advice.