Overview
- The ICO, which announced the penalty Monday, set the fine at £964,900 as a voluntary settlement after the company accepted the findings and agreed not to appeal.
- The breach exposed personal data on 633,887 people, with more than 4.1TB of stolen files later found on the dark web including bank details, login credentials, National Insurance numbers, and entries that could reveal disabilities.
- The intrusion began with a phishing email in September 2020 and went undetected for about 20 months until IT slowdowns in July 2022 triggered an internal probe and the discovery of a ransom note two days after the breach was reported.
- Investigators cited weak access controls that let attackers gain administrator rights, scant monitoring that covered only about 5% of systems, use of outdated software such as Windows Server 2003, and poor patching and security scanning.
- At the time the firm held records on roughly 1.85 million customers, and the regulator cut the penalty by 40% to reflect early admission, remediation, cooperation, and lessons intended to push other critical providers to review their defenses.