Interserve fined £4.4m after malware hit
The outsourced services firm Interserve Group has been fined £4.4m by the Information Commissioner’s Office (ICO), the UK regulator, for a breach of data protection law; failing to keep personal information of its staff secure.
The ICO found that the company – liquidated this year – failed to have appropriate security to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
Information Commissioner John Edwards said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
About the case
The cyber attack happened between March 30 and May 2, 2020, the ICO said (that is, during the first lockdown due to the covid pandemic; the firm had gone into administration in March 2019). An Interserve employee (working from home) forwarded a phishing email, which was not quarantined or blocked by the the company’s IT, to another employee who opened it and downloaded its content. This resulted in the installation of ransomware onto the employee’s workstation.
The company’s anti-virus quarantined the malware and sent an alert, but the firm failed to thoroughly investigate. If they had, the watchdog said, the firm would have found that the attacker still had access to the company’s systems. Thanks to the compromised account, the attacker went on to the second stage of his attack; on May 1 and 2, 2020 (a Friday and Saturday) compromised 283 systems and 16 accounts, and uninstalled the company’s anti-virus software. Personal data of up to 113,000 current and former employees was encrypted on four HR databases – that is, the firm was locked out of it.
On May 2, Interserve found the message on its server that it had been hacked, and contacted the UK official National Cyber Security Centre (NCSC).
The ICO found that Interserve failed to follow up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of staff training and risk assessments, which left them vulnerable. Interserve was using 40 servers that Microsoft had ended support for; against the firm’s own policy. As for training, one of the two employees who received the phishing email had not received data protection training; again, which went against a policy of the company’s.
Interserve’s plea about its ‘financial constraints’ did not move the watchdog, which pointed out that the firm could have done some things at little or no cost. Interserve, having hired a firm to carry out monitoring of the dark web, stated that there was no evidence of data exfiltration, and the ICO acknowledged that the firm has made ‘substantial financial investments’ in raising its IT security (including hirings) since the incident. The ICO found that the incident was the result of negligence. As for whether the extraordinary months of covid were an excuse, the ICO granted that the pandemic gave the hackers the opportunity to access the firm’s network; but the ‘malicious actors’ were then able to exploit ‘negligent security practices’ within the IT network – that is, regardless of covid. The ICO’s published findings did not state whether Interserve received a ransomware demand or if it paid one.
Johan Dreyer, EMEA Field Chief Technical Officer at cyber firm Mimecast called the £4.4m a stern warning. The cyber firm has found that the average ransomware attack payment for successfully targeted organisations is more than £600,000. He said: “We are continuing to see an increase in these cyberattacks which highlight the need for organisations to take data protection seriously. Businesses deal with sensitive stakeholder information and it is vital that organisations adequately protect it and know exactly where it is stored and who can access it.”
And AJ Thompson, CCO at the IT firm Northdoor plc said: “Unfortunately, Interserve will not be the only company that has effectively left its head in the sand when it comes to cyber defences. Too many either fail to take the necessary steps to protect themselves or are simply overwhelmed by the size of the task facing them. It takes very little effort for cybercriminals to get their hands on the tools that allow them easy access to a company’s systems, businesses have to do a lot more in order to keep them out.
“The areas highlighted by the ICO as the reason for the fine will be shocking to some, but actually represent an accurate picture of how many companies are letting themselves, their employees and their customers down. The fact that a company the size and with the resources of Interserve was unable to update software is a glaring, and yet easily resolved oversight.
“Another of the areas focused on by the ICO was the insufficient level of staff training. This is a problem that exists within many companies and yet it leaves them incredibly vulnerable to attack. Employees are often described as the weakest link in a company’s security strategy and so leaving them without the necessary skills to identify and deal with a potential cyber threat is essentially leaving your front door open.”
And Chris Vaughan, VP Technical Account Management – EMEA & South Asia at cyber firm Tanium, said: “This incident follows a trend that I see when working with organisations to bolster their cybersecurity standards: too many still focus too much on reactive measures rather than preventative ones.
“A narrative has emerged across many IT teams that attacks are becoming too sophisticated to be stopped, and that therefore their efforts should be focused on reacting to security incidents rather than preventing them. However, I would encourage them to focus more on preventative measures which can either minimise the impact of breaches or avoid them altogether. A recent Tanium report found that 90 percent of UK IT directors agreed that ‘the majority of cyberattacks that we have experienced within our organisation have been in some way avoidable’. They are avoidable because breaches are often caused by simple things such as a work device not being patched or a staff member clicking on a link in a phishing email as we saw in the case of Interserve.”