The ICO has fined the outsourcing giant, Interserve Group LTD, £4.4 million after a catastrophic cyber-attack which allowed hackers access to the personal data of 113,000 employees.

The data breach

A cyber-attack took place in May 2020 when an Interserve employee, who was working from home, received a phishing email which they then forwarded to another employee who opened it and downloaded the contents.

This caused installation of malware on an employee’s workstation which was initially quarantined by Interserve’s anti-virus software. An alert was sent which Interserve failed to fully investigate leaving the malware in the system.

The malware allowed the hackers to uninstall Interserve’s anti-virus software resulting in the compromise of 283 systems and 16 accounts. Hackers gained access to the personal data of 113,000 employees including bank account details, email addresses, NI numbers and sexual orientation. The personal data was encrypted so that Interserve was no longer able to access the data.

The Information Commissioners Office (ICO) decision

The ICO found that Interserve were in breach of the GDPR regulations, which requires a data controller to ensure the security of personal data. In particular, the ICO found that Interserve had:

• failed to adequately investigate the incident alert including a failure to verify that the malware had been removed from the system;
• failed to adequately train staff. One of the two members of staff who received the phishing email had received no cyber security training;
• used an overbroad privileged account management system which allowed too many people access privileges. This in turn allowed the hackers to compromise multiple accounts; and
• used outdated operating systems and protocols.

The ICO issued a notice of intent for a fine of £4.4 million, the fourth largest fine ever imposed by the ICO. Interserve were praised by the ICO for their cooperation with the investigation and their pro-active remediation efforts however, after consideration of these mitigating factors the ICO did not make a reduction to the fine.

Key lessons for businesses

What can businesses learn from the findings of the ICO?

1. Training is the best defence against cyber attacks

John Edwards, UK Information Commissioner, warned that “the biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company”.

Businesses should ensure that staff at all levels of the business receive data protection and cyber security training. The National Cyber Security Centre advises that training should be ongoing and backed up with further assurance testing, such as penetration testing.

2. Effective oversight of IT policies and systems is crucial

Business must take a proactive approach to cyber security. Commenting on the fine, the Information Commissioner stated, “if your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

3. Risk assessments

The ICO advised that it is not enough to simply create and maintain cyber security policies if these are not continually reviewed, updated and implemented. Carrying out regular and effective risk assessments can reduce the risk of future attacks occurring and can minimise the impact they have on systems.

If you have any questions regarding data protection obligations for your business, or any other issue raised in this article, then please contact Martin Varley (m.varley@hklaw.uk).