The UK Information Commissioner’s Office (ICO) found that Interserve failed to put appropriate security measures in place to prevent a cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
In May 2020 an Interserve employee forwarded a phishing email, which was not quarantined or blocked by the Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee's workstation.
The company’s anti-virus system quarantined the malware and sent an alert, but – according to the ICO – the company failed to thoroughly investigate the suspicious activity. If it had done so, it would have found that the attacker still had access to the company’s systems.
The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus system. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
The compromised data included personal information such as contact details, national insurance numbers and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left it vulnerable to a cyber-attack.
UK information commissioner John Edwards said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
“Cyber-attacks are a global concern, and businesses around the world need to take steps to guard against complacency.”
The ICO has the power to impose a civil monetary penalty on a data controller of up to up to £17.5m, or 4% of total global annual turnover, whichever is higher.
This penalty was issued under the DPA2018 for infringements of the General Data Protection Regulation (GDPR).
Got a story? Email news@theconstructionindex.co.uk
