Supply chain cyber incidents: The ICO's fine, and future of data processors’ accountability

The ICO’s provisional decision to impose a fine on a software provider has confirmed the landscape of liabilities and responsibilities for data processors in supply chain cyber incidents. This finding highlights the accountability of data processors, who must step up their game, ensuring robust security measures and proactive incident response.

On 7 August 2024, the ICO announced its provisional decision to impose a hefty £6 million fine on Advanced Computer Software Group Ltd (Advanced) following a 2022 ransomware attack that severely disrupted NHS and social care services.

Advanced, a key IT and software service provider for national organisations including the NHS, handled vast amounts of personal information as a data processor on behalf of these entities. The ransomware incident exploited a customer account which lacked multi-factor authentication (MFA), leading to widespread service disruption and the exfiltration of personal data belonging to 82,946 individuals. The ICO concluded that Advanced failed to secure its healthcare systems adequately.

The new era of accountability for data processors

Despite the surge in supply chain cyber attacks in recent years—such as those affecting CTS, MOVEit, SolarWinds, log4j, Kaseya, and Spring4Shel—there has been little clarity on the ICO’s approach to the data processor’s role in these incidents.

Whilst the regulations have always allowed the possibility of direct enforcement action against a data processor that is not meeting their obligations, examples of this in practice have historically been very low. The ICO's provisional decision emphasises that the data processors role in a cyber incident can be directly scrutinised and enforcement action taken where necessary.

What is a supply chain cyber attack?

A supply chain cyber attack occurs when an attacker infiltrates an organisation by compromising the technologies, services, or products provided by third-party suppliers. The ICO has identified three types of supply chain attacks:

1. Software Supply Chain Attacks: Malicious code is inserted into a product or system, leading to information theft, fraud, or remote access to corporate systems.
2. Digital Supply Chain Attacks: Attackers insert malicious code into libraries that developers incorporate into their products, creating vulnerabilities.
3. Hardware Supply Chain Attacks: Attackers gain access through hardware components, enabling them to infiltrate corporate infrastructure or extract information

Legal obligations

Under Article 32 of the UK GDPR, data processors must implement appropriate technical and organisational measures to protect personal data. In the event of a personal data breach (Article 4(12) UK GDPR), processors must notify the data controller without undue delay (Article 33(2) UK GDPR). Failure to do so can result in direct regulatory liability, although the risk of fines or enforcement actions for processors in the UK has historically been relatively low.

In 2023 there were a total of 74 enforcement actions, the vast majority of which relate to breach of PECR (Privacy and Electronic Communications Regulations) rather than breach of the UK GDPR despite there being over 4600 reported ransomware incidents to the ICO in 2023. [source: the ICO]

The law also places a duty on controllers to select processors that can demonstrate compliance with the UK GDPR, ensure appropriate processing clauses are in place and to supervise the processor’s performance (Article 28, UK GDPR). Therefore, a controller could also be held accountable by the ICO for the processors’ failure to use appropriate technical and organisational measures—unless the controller discharges this duty.  

The new era of accountability

The ICO’s provisional decision to impose a fine, especially one this hefty (£6m) on a data processor, demonstrates that data processors must take their security of processing obligations seriously and ensure that the personal data that they process are kept secure.

The ICO's message: Security is non-negotiable

The ICO's provisional decision to impose a significant fine on Advanced underscores the need for data processors to prioritise security. John Edwards, UK Information Commissioner, stated: "We expect all organizations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multifactor authentication, and keeping systems up to date with the latest security patches."

Practical tips to manage supply chain risks

To mitigate the risk of supply chain attacks, controllers should:

• Establish a robust supply chain risk management program and continuously monitor, manage, and review systems and processes.
• Conduct thorough due diligence on suppliers before using their services, and ensure ongoing compliance once retained.
• Obtain assurances from processors and enforce detailed security measures, including encryption, MFA, patching, EDR, and IDS.

Related items:

• Biometric data – why organisations keep getting it wrong
• ICO call to arms – boost your cyber security and protect personal information
• The ICO issues a firm warning to businesses as it fines UK construction firm, Interserve Group Limited, £4.4 million