On March 27, 2025, the Information Commissioner’s Office (ICO) announced a fine of 3 million GBP (3.9 million USD) against a software provider (the company) for security deficiencies following a ransomware incident (e.g., lack of multi-factor authentication (MFA)). This is the first time the ICO has fined a processor under the UK’s General Data Protection Regulation (GDPR). This post provides an overview of the decision and outlines the key points companies should consider, including the security measures the ICO expects them to implement.

Background

The company provides IT and software services to organizations, including the UK’s National Health Service (NHS), and processes personal data on behalf of these organizations. In August 2022, threat actors exploited a vulnerability in one of the company’s IT systems via a customer account that did not have multi-factor authentication (MFA). As a result, the threat actors were able to exfiltrate personal data, including medical and health-related records, relating to 79,404 individuals. The threat actor also deployed ransomware on the company’s systems, which disrupted access to critical medical records for many of the company’s customers, including the NHS, for a prolonged period. According to the decision, the company’s overall incident remediation and response costs amounted to more than 21 million GBP (27 million USD).

The ICO’s Key Findings

  • Security deficiencies. The UK GDPR requires companies, including processors, to implement appropriate technical and organizational measures when processing personal data. The ICO found that the company had violated this requirement by failing to put in place comprehensive multi-factor authentication (MFA), vulnerability scanning, and patch management.
  • MFA: While the company had implemented MFA across the bulk of its IT environment, certain systems housing sensitive data did not have MFA enabled by default. This was in part because of feedback from customers that enabling MFA would lead to operational challenges for end users. The ICO emphasized that the reluctance of the company’s customers to implement MFA was not a valid excuse for failing to apply this security measure, particularly with respect to sensitive health data.
  • Vulnerability scanning: The ICO found that the company did not have mature vulnerability management scanning systems in place before the ransomware attack. The ZeroLogon vulnerability, exploited by the threat actors, had been publicly disclosed two years before the incident and had also been reported by the National Cyber Security Centre, yet the company failed to remediate it in a timely manner.
  • Patch management: While the company had applied some patches to address the ZeroLogon vulnerability, the ICO criticized the company’s approach as “ad hoc.” The ICO determined that the lack of a systematic patch management process contributed to the ransomware incident.

Calculation of the Fine

The ICO found that it was entitled to calculate the fine on the basis of turnover of the company’s parent, rather than the turnover of the subsidiary that was directly impacted by the incident. The regulator determined that it was appropriate to begin calculating the fine at 65 percent of the statutory maximum of 8.7 million GBP (11 million USD), taking into account that there was no evidence of actual harm being suffered by data subjects. Further reductions were applied in light of mitigating factors.

In return for acknowledging the decision and agreeing not to appeal it, the company received an additional 20 percent reduction in the fine. Notably, this is the first time the ICO has agreed a voluntary settlement in a UK GDPR fine case, reflecting concerns about the cost and delays involved in the appeal process. In deciding to impose the fine, the ICO also considered its duty under the Deregulation Act 2015 to promote economic growth and determined that the action was unlikely to have an “impact of any measure on economic activity or growth in the UK, including employment and GDP.”

UK and EU Regulators Are Increasingly Focusing on MFA

The ICO’s decision emphasizes that, alongside thorough vulnerability scanning and patch management, it expects companies to implement MFA across their entire IT environment, especially when processing sensitive data, such as health data.

EU Data Protection Authorities are also increasingly highlighting the use of MFA as a way for controllers and processors to meet their security obligations under Article 32 of the EU’s GDPR. For instance, the French Data Protection Authority (CNIL) has released a detailed recommendation (in French) on the use of MFA.

Meanwhile, the EU’s Cybersecurity Directive (NIS2) requires in-scope companies to implement MFA to protect their information systems, where appropriate. NIS2 regulators, such as the Centre for Cyber Security in Belgium, have focused on MFA in cybersecurity awareness campaigns.

Conclusion

The ICO’s decision comes at a time of increasing cyber incidents, emphasizing the need for companies to regularly review their security practices and proactively address vulnerabilities, especially when processing sensitive data. Companies should implement robust security measures to reduce their risk exposure and safeguard themselves from regulatory penalties.

Wilson Sonsini clients who believe they may be experiencing any kind of cybersecurity incident anywhere in the world can contact our experts 24/7 at our incident response hotline, which can be reached at either 32-2-2745777 or 1-650-849-3030.

Wilson Sonsini routinely advises clients on privacy and cybersecurity issues. For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, Nikolaos Theodorakis, Tom Evans, Laura Brodahl, or another member of the firm’s Data, Privacy, and Cybersecurity practice.

Matthew Nuding contributed to the preparation of this post.