StuWalsh.com

Information Security and Data Protection News, Articles, Consultancy, Guidance and Training Services

Advertisment Image
Advertisment Image
Articles, UK Data Breach Reports

UK Data Breach Report – March 2025

UK Data Breach Report

What happened, who was affected, and what we can learn…

March saw enforcement action against a major NHS software provider. Personal data of vulnerable individuals was exposed in a ransomware attack; demonstrating that critical national infrastructure remains at high risk.

Advanced Computer Software Group (NHS data processor)

Date Reported: 27th March, 2025
No. of UK Individuals Affected: 79,404
Data Exposed or at Risk: Sensitive home access and health information related to vulnerable individuals
ICO Response: £3.07 million fine issued
Summary: Attackers used stolen credentials to enter a key system without MFA, then executed ransomware and exfiltrated medical data. Advanced failed to have full MFA, patching, or scanning protocols in place.
Commentary: This is a watershed moment; an ICO fine targeting a data processor for failure to protect NHS data. The expectation is that every link in the data chain must be secure, not just controllers.

ICRIR (Independent Commission for Reconciliation and Information Recovery)

Date Reported: 18th March, 2025
No. of UK Individuals Affected: 25
Data Exposed or at Risk: Names only (due to admin email error).
ICO Response: Report filed; breach contained, no fine expected.
Summary: A minor but meaningful incident; an email misdirect revealed 25 names. Quickly handled and reported.
Commentary: Small errors can happen anywhere; but quick response and full disclosure earned trust, not fines.

Insights for UK Businesses

  • Processors are now under the same spotlight as controllers; no compartmentalising CyberSecurity responsibility.
  • Sensitive care sector data is non-negotiable; MFA, patching, and scans must be universal.
  • Human error happens but can be managed with training, guidelines, and robust oversight.

Legislative Context

These breaches occurred prior to the Data (Use and Access) Act, but the underlying issues—gaps in control, reporting surface faults, and delayed public awareness; directly informed the new law’s provisions.

Conclusion

March elevated the game; if you handle health data, or any critical infrastructure, you aren’t just judged on firewalls, but on organisational maturity, access standards, and responsive governance.

Disclaimer

This report is based on public disclosures, media reports, and ICO updates available at the time of writing. Figures for affected individuals may be estimated where not officially disclosed. This post is intended for informational purposes only and does not constitute legal advice.

Stu Walsh

Stu Walsh

I am a Chief Information Security Officer (CISO) and Data Protection Officer (DPO) with extensive experience in overseeing organisational information security strategies as well as establishing and maintaining Information Security Management System (ISMS) required for ongoing General Data Protection Regulation (GDPR) compliance, ISO27001 and PCI-DSS certifications; ensuring the protection of sensitive data, and compliance with all UK regulations and standards.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *
RSS
Follow by Email
Facebook
X (Twitter)
LinkedIn