The UK Information Commissioner has warned that companies are leaving themselves open to cyber attacks by ignoring crucial measures like updating software and training staff. The warning comes as the Information Commissioner’s Office (ICO) issued a fine of £4,400,000 to Interserve Group Ltd, a Berkshire-based construction company, for failing to keep the personal information of its staff secure. This is a breach of data protection law. The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
Details of the Interserve data breach
An Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee's workstation.
The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems.
The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
The ICO investigation found that Interserve failed to follow up on the original alert of suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber attack.
Interserve broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.
The ICO issued Interserve with a ‘notice of intent’ - a legal document that precedes a potential fine. The provisional fine amount was set at £4.4million. Having carefully considered representations from Interserve, no reductions were made to the final fine amount.