The ICO has fined Interserve Group Ltd, an outsourcing and construction company, £4.4 million after it suffered a cyber-attack in 2020, resulting in the personal data of 113,000 of its current and former employees being compromised.
Details of the cyber-attack
The cyber-attack occurred when an Interserve employee who was working from home forwarded a phishing email to another employee, who opened it and downloaded the contents. The initial phishing email was not quarantined or blocked by Interserve’s system and the download resulted in malware being installed on the employee's workstation.
Interserve’s anti-virus quarantined the malware and sent an alert, but Interserve failed to conduct a sufficient investigation. As a result, the hacker was given access to 283 systems and 16 accounts and allowed them to uninstall the company’s anti-virus solution.
Personal data of up to 113,000 employees was encrypted and rendered ‘unavailable’. The data which was compromised spanned 4 HR databases and included details of national insurance numbers and bank accounts of employees but also special category data including ethnic origin, details of any disabilities and sexual orientation.
The ICO decision
The ICO found that Interserve:
- failed to follow-up on the original alert of a suspicious activity;
- used outdated software systems and protocols; and
- had a lack of adequate staff training and insufficient risk assessments.
The combination of these factors ultimately created vulnerability to a cyber-attack as the penalty notice highlighted:
“Interserve ought reasonably to have been aware of the risks posed by running outdated support systems, in particular in circumstances where the risks of running outdated support systems were well-known and documented”.
Interserve’s lack of sufficient action in relation to cybersecurity amounted to a breach of data protection law. Specifically, it failed to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information, which is one of the key principles of the UK GDPR.
The ICO initially issued Interserve with a ‘notice of intent’ (as it did with TikTok) with a provisional fine amount set at £4.4million. After considering representations from Interserve, no changes were made to the final fine amount.
John Edwards, the UK Information Commissioner has said:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office”.
Key takeaways and implications
In light of the ICO’s warning that the biggest cyber risk to businesses is internal complacency and not necessarily external threat actors, there are several practical steps that businesses should be taking:
refresh cyber security training for employees at all levels of their business;
take an active approach to training and make sure it is ongoing e.g. regularly sending phishing emails to test cyber resilience; and
ensure IT infrastructure and operating systems are checked and updated regularly
As National Cybersecurity Awareness Month comes to an end, this fine reiterates both the stance that the ICO is taking towards deficient cybersecurity practices as well as the importance of businesses taking a proactive approach to cybersecurity training and maintaining their security systems and procedures to ensure that they are prepared for a cyber-attack when, and not if, it occurs.