In October 2022, a Berkshire based construction company, Interserve Group Ltd, was issued a fine for £4.4 million by the Information Commissioner's Office (ICO) for compromising and failing to keep the personal data of up to 113,000 employees secure.
Interserve's systems did not block or quarantine a phishing email that was forwarded from one Interserve employee to another. The employee, who received the forwarded phishing email, opened and downloaded the content of the email, which led to malware being installed onto the employee's workstation.
The ICO's investigation found that, whilst the company's anti-virus software had sent an initial alert, Interserve failed to follow up on the original alert of suspicious activity. It also used outdated systems, software and system security protocols, insufficient risk assessments, and failed to ensure that employees had undertaken phishing training, contrary to the requirements of Article 32(1)(d) of the UK GDPR. The overall effect was that Interserve broke data protection laws by failing to put in place appropriate technical and organisational measures to prevent unauthorised access of personal information contrary to Article 32(1)(b) and (c) of the UK GDPR, and was ultimately vulnerable to cyber-attacks.
In this instance, these failures resulted in the attacker compromising 283 systems and 16 accounts (including 12 privileged accounts). The attacker uninstalled the company's anti-virus solution and encrypted (rendering unavailable) personal data of up to 113,000 data subjects (current and former employees of Interserve).
The compromised personal data included employee's contact details, national insurance numbers, and bank account details, as well as special category personal data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
The ICO, however, recognized Interserve's remedial efforts and good work following the incident and acknowledged that there was no evidence of exfiltration of any of the affected data.
Key takeaway's for organisations
Shortly after announcing the fine against Interserve, John Edwards, UK Information Commissioner stated that the "Biggest cyber risk is complacency, not hackers".
Mr. Edwards also emphasised the following which companies should take note of to avoid receiving similar fines:
- Similar fines will occur if organisations do not: "regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff."
- "Leaving the door open to cyber attackers is never acceptable, especially when dealing with the people's most sensitive information."
- "Businesses around the world need to take steps to guard against complacency."
Furthermore, the ICO has further stated on LinkedIn in response to this fine that:
- Organisations should keep software up to date – exploiting system vulnerabilities is a common method hackers use to gain access to systems and software;
- Train staff to recognise and deal with basic cyber threats such as recognising phishing emails;
- Use strong passwords and have methods in place that detect length of password, characters and deny certain passwords on the basis that they can be compromised easily; and
- Organisations should back up their data - this is one of the most important ways to mitigate the risk of ransomware. However, organisations should consider if the current back up method could be compromised and perform threat analysis against solutions accordingly.
How can DWF help?
DWF’s legal and multi-disciplinary team provides clients with global support on critical cyber security issues including preparing for and responding to security failures and data breach events. Our team includes legal advisors, management consultants and risk professionals with verifiable, market-leading credentials in these areas.
To discuss how we can help you achieve positive security and data risk outcomes, even in the most complex and contentious of circumstances, please contact one of the authors below.
Written by Najiba Sultana and Mark Hendry