UK ICO fines Interserve £4.4 million over cyberattack that exposed up to 113,000 employees

The Information Commissioner’s Office (ICO) – the UK’s independent data regulator – has fined British construction firm Interserve £4.4 million for failing to protect its employees’ information from cyberattack. The fine comes after the company suffered a data breach affecting up to 113,000 current and former employees and 283 systems. The ICO warned that the incident serves as a reminder to businesses that they leave themselves open to cyberattack by ignoring crucial security measures like updating software and training staff.

Phishing email was the source of the data breach

As outlined on its website, an ICO investigation found that Interserve failed to put appropriate security measures in place to prevent a cyberattack that occurred between late March and early May 2020. It led to the compromise of data including contact details, national insurance numbers, and bank account details, whilst special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information was also compromised, the ICO stated.

The source of the breach was a phishing email, which was forwarded by an Interserve employee to another worker who opened it and downloaded its content, resulting in the installation of malware onto the employee’s workstation, according to the ICO. “The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems,” the ICO wrote.

The attacker subsequently went on to compromise 283 systems and 16 accounts, as well as uninstalling the company’s antivirus solution. What’s more, the personal data of up to 113,000 current and former employees was encrypted and rendered unavailable. “The ICO investigation found that Interserve failed to follow up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyberattack.”

Interserve broke data protection law

The ICO said that Interserve broke the data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.

UK Information Commissioner John Edwards stated that the biggest cyber risk businesses face is not from hackers outside of their company but from complacency within their company. “If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” he said.

This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud, Edwards added. “Cyberattacks are a global concern, and businesses around the world need to take steps to guard against complacency.”