OrganisationGB

Advanced Computer Software

UK software company fined £3.07m by ICO in March 2025 for absent PAM controls in its 2022 breach, establishing NCSC guidance as GDPR baseline.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

How did an NHS software supplier's lack of basic controls lead to a £3m fine?

Timeline for Advanced Computer Software

#117 Apr

Mentioned in: UK 24-hour reporting bill at Report

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Why was Advanced Computer Software fined by the ICO?: The ICO fined Advanced Computer Software £3.07 million in March 2025 for its 2022 data breach. Absent Privileged Access Management controls and inadequate Active Directory tiering allowed attackers to escalate privileges, disrupting NHS 111 and other health and care services.Source: ICO monetary penalty notice
What does the Advanced Computer Software ICO fine mean for GDPR compliance?: The ICO decision established that NCSC guidance on PAM and AD tiering represents the Article 32 GDPR technical standard; failing to implement it is an enforceable GDPR breach, not just a security oversight.Source: ICO

Background

Advanced Computer Software was fined £3.07 million by the Information Commissioner's Office (ICO) in March 2025 for its 2022 data breach, in which absent Privileged Access Management (PAM) controls and an inadequate Active Directory tiering model enabled attackers to escalate privileges. The ICO decision treated the breach as a GDPR-standard failure precisely because NCSC guidance on PAM and AD tiering was already publicly available and not followed.

Advanced provides software and services to NHS trusts and care providers in the UK. Its 2022 breach disrupted NHS 111 and other health and care services across England. The ICO's investigation concluded that the absence of PAM controls was a directly causative failure, rather than a background factor; attackers gained persistence through a compromised account with access Advanced had not segmented or monitored.

The Advanced decision pre-dates the larger Capita fine (£14m, October 2025) and together they define the ICO enforcement template in which NCSC guidance constitutes the enforceable GDPR technical baseline. For any UK organisation subject to the ICO, the Capita–Advanced pair is the primary case law on what constitutes an adequate privilege management and AD architecture posture under Article 32 GDPR.

How the World Sees Them

ICO

Advanced is the first major enforcement action in which absent PAM controls are treated as a GDPR breach root cause rather than a background factor; the precedent applies to all ICO-regulated entities.

UK enterprise CISOs

The Advanced and Capita decisions together define NCSC PAM and AD tiering guidance as the Article 32 standard; organisations without these controls face a documented precedent for enforcement.

NHS and care providers

Advanced's software underpins NHS 111 and care services; the breach's operational impact on clinical services made it a high-visibility enforcement target.