Interserve fined £4.4M for failing to secure staff’s personal data

The Berkshire-based construction company was subject to a cyber attack that enabled hackers to access the personal data of up to 113,000 current and former employees through a phishing email. The ICO ruled this to be a breach of data protection law as Interserve failed to put appropriate security measures in place to prevent the unauthorised access.

The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

The breach occurred when a phishing email was forwarded between employees, at which point Interserve’s system failed to block or quarantine it. The recipient opened and downloaded the content of the email, resulting in the installation of malware on their workstation.

The company’s anti-virus system intervened at this point to quarantine the malware and send an alert, but Interserve did not carry out a follow-up investigation into the suspicious activity. The company therefore did not realise that the attacker still had access to the company’s systems.

The attacker continued to send emails and compromised 283 systems and 16 accounts. They also managed to uninstall Interserve’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

The ICO’s investigation determined that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber attack.

This has prompted the ICO to send a warning to all companies that they are leaving themselves open to cyber attach by ignoring crucial measures like updating software and training staff.

UK information commissioner John Edwards said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”

Like what you’ve read? To receive New Civil Engineer’s daily and weekly newsletters click here.