Cyber risk: Interserve Group fined £4.4 million for employee data breach

The Information Commissioner Office (ICO) has recently fined an outsourcing and construction company, Interserve Group Limited, £4.4 million after it suffered a cyber attack in 2020. The attack resulted in the personal data of 113,000 current and former employees being compromised, breaching Article 5(1)(f) and Article 32 of the General Data Protection Regulation (GDPR).

What happened?

An initial phishing email was sent to an Interserve accounts team mailbox disguised as an urgent document review which was not quarantined or blocked by Interserve's system. Whilst working from home, an Interserve employee forwarded the phishing email to another employee. After the employee downloaded the contents, malware was installed on their workstation.

Interserve's anti-virus software quarantined the malware and sent an alert, but the company failed to conduct an investigation. The ICO found that if Interserve had investigated the malware alert they would have realised that the hackers had access to its computer system. Due to Interserve's failings to investigate the matter properly, the hackers gained access to 283 different systems and 16 separate accounts allowing them to uninstall the company's anti-virus solution.

The personal data of up to 113,000 employees was encrypted and rendered ‘unavailable’. The data which was compromised spanned 4 HR databases and included details of national insurance numbers, bank accounts of employees and also employee special category data including ethnic origin, health data and details of disabilities and sexual orientation.

The decision

The ICO found that Interserve failed to put in place adequate measures to keep personal data secure and prevent a cyber-attack, which subsequently led to the hackers accessing Interserve employee personal data.

Critically, the ICO found that Interserve:

• processed personal data on an unsupported operating system;
• failed to follow-up on the original alert of a suspicious activity;
• used outdated software systems and protocols – the phishing email was not blocked or filtered into junk; and
• had a lack of adequate staff training and insufficient risk assessments.

The £4.4 million fine issued to Interserve is the fourth largest fine the ICO has ever imposed. The level of fine highlights the potentially significant impact of a failure to implement appropriate technical and organisational measures to ensure the safety and security of personal data.

Key takeaways

To comply with data protection legislation, businesses have a responsibility to ensure that they have implemented appropriate measures to keep personal data secure.

The ICO's decision is an important reminder to ensure that your business' security systems are up to date. A business' security software should act as the first defence to block, filter or flag harmful emails. Unused systems and platforms should be removed and regular monitoring should be carried out to ensure that all systems are updated and appropriately secure.

In its press statement regarding its enforcement action, the ICO has highlighted that they believe the biggest cyber risk comes not from hackers but from complacency within a business which can arise from a lack of employee training regarding information security. A high priority for businesses should therefore be ensuring that they refresh their formal cyber security training for all levels of staff on a regular basis. Cyber risk policies should be kept up to date and risk assessment should be regularly carried out and updated to reflect and respond to new and more sophisticated risks. Businesses should be taking a proactive approach to employee training by (for example) sending fake phishing emails internally to review employee responses on top of employee training. This ensures that employee training is ongoing and not just an annual tick-box exercise.

Finally, in the event a hacker does gain access to your system, ensure your business responds quickly and effectively to any alerts. You must ensure that you carry out (and document) a full investigation to understand what has happened, take mitigating steps to reduce the impact of the intrusion to your system, note any lessons learnt and implement steps to reduce the likelihood of such an event happening again. This could take the form of updating security measures, policy/process changes, enhanced employee training or a combination of all of the above. The ICO will take these factors into consideration when carrying out their own investigations and when deciding the level of penalty awarded for any data breaches.

If you would like to discuss your business' cyber security or discuss your bespoke training needs, please contact a member of our Data Protection team.