What are you looking for?

14 November 2022 | Comment | Article by Emily Powell

Employee data breach: Interserve fined £4.4 million

The Information Commissioner’s Office (ICO) has fined the construction group Interserve £4.4m in relation to a cyber attack which happened in May 2020. This was the fourth largest fine it has ever imposed.

The attack happened at a time when Interserve ran an outsourcing business and was designated as a strategic supplier to the Government with clients such as the Ministry of Defence.

What happened?

An Interserve employee forwarded a phishing email to another employee who opened it and downloaded its content. Malware was subsequently installed onto the employee’s workstation. The company’s anti-virus software quarantined the malware and sent an alert but Interserve failed to thoroughly investigate, the ICO found. If they had investigated, Interserve would have realised that an attacker had been given access to their system. The attacker encrypted and rendered unavailable the personal data of up to 113,000 current and former employees. Bank account details, national insurance numbers, ethnic origin, sexual orientation and religion were among the categories of personal information compromised.

Why has such a hefty fine been given to Interserve?

The ICO found that Interserve had broken data protection law when it failed to put appropriate measures in place.

The ICO described Interserve’s systems and protocols as outdated, and found that this was clear from the phishing email having been delivered rather than filtered into junk or even blocked.

The ICO also said it was clear that there had been a lack of staff training and protocol. Two employees had failed to recognise the email as suspicious and an alert from the company’s antivirus software was not investigated fully.

What should organisations do to avoid penalty?

Companies should ensure that data security systems are up to date. Ideally, a company’s data security software should act as the first line of defence and block or filter harmful emails. It is also paramount that companies ensure that staff are well trained. In fact, the ICO views poorly trained staff as the biggest cyber risk as it is often a complacent employee who enables hackers to gain access to a company’s IT system.

In the event that an attacker does gain access, it is essential that a timely and thorough investigation is carried out to fully understand what has happened and learn from it. The ICO will take this into consideration when carrying out their own investigation.

Key points

  • The ICO sees lack of staff training as the biggest cyber risk
  • Companies which fail to provide adequate training to their staff can expect a hefty fine should it result in a data breach
  • Companies should ensure that their data protection systems and protocols are up to date.
  • It does not matter whether the data has been recovered through payment of a ransom. A breach has occurred regardless of whether the data is returned.

Our experience

Our Information Law team provides advice to businesses and organisations across the public, private and third sectors on data protection.

Information law requirements can often be daunting and appear complicated. The expertise and experience in our team enables us to guide clients through the process of ensuring that processes are compliant. The size of our team and depth of our experience also enables us to provide you with a rapid and responsive service, ensuring that all relevant deadlines are met.

If you need any advice related to the subjects discussed in this article, please get in touch with us.

Author bio

Emily is a partner in the Corporate and Commercial team. Emily specialises in commercial law, public procurement and subsidy control. Emily has advised housing associations on their procurement processes and can provide a complete legal service for all procurement and project requirements. Emily also hosts a forum for ‘heads of’ procurement working within the social housing sector.

Disclaimer: The information on the Hugh James website is for general information only and reflects the position at the date of publication. It does not constitute legal advice and should not be treated as such. If you would like to ensure the commentary reflects current legislation, case law or best practice, please contact the blog author.

Contact one of our experts

Fill in the form and one of our experts will get in touch with you shortly.