The Information Commissioner’s Office (ICO) has fined the construction group Interserve £4.4m in relation to a cyber attack which happened in May 2020. This was the fourth largest fine it has ever imposed.
The attack happened at a time when Interserve ran an outsourcing business and was designated as a strategic supplier to the Government with clients such as the Ministry of Defence.
An Interserve employee forwarded a phishing email to another employee who opened it and downloaded its content. Malware was subsequently installed onto the employee’s workstation. The company’s anti-virus software quarantined the malware and sent an alert but Interserve failed to thoroughly investigate, the ICO found. If they had investigated, Interserve would have realised that an attacker had been given access to their system. The attacker encrypted and rendered unavailable the personal data of up to 113,000 current and former employees. Bank account details, national insurance numbers, ethnic origin, sexual orientation and religion were among the categories of personal information compromised.
Why has such a hefty fine been given to Interserve?
The ICO found that Interserve had broken data protection law when it failed to put appropriate measures in place.
The ICO described Interserve’s systems and protocols as outdated, and found that this was clear from the phishing email having been delivered rather than filtered into junk or even blocked.
The ICO also said it was clear that there had been a lack of staff training and protocol. Two employees had failed to recognise the email as suspicious and an alert from the company’s antivirus software was not investigated fully.
What should organisations do to avoid penalty?
Companies should ensure that data security systems are up to date. Ideally, a company’s data security software should act as the first line of defence and block or filter harmful emails. It is also paramount that companies ensure that staff are well trained. In fact, the ICO views poorly trained staff as the biggest cyber risk as it is often a complacent employee who enables hackers to gain access to a company’s IT system.
In the event that an attacker does gain access, it is essential that a timely and thorough investigation is carried out to fully understand what has happened and learn from it. The ICO will take this into consideration when carrying out their own investigation.
- The ICO sees lack of staff training as the biggest cyber risk
- Companies which fail to provide adequate training to their staff can expect a hefty fine should it result in a data breach
- Companies should ensure that their data protection systems and protocols are up to date.
- It does not matter whether the data has been recovered through payment of a ransom. A breach has occurred regardless of whether the data is returned.
Our Information Law team provides advice to businesses and organisations across the public, private and third sectors on data protection.
Information law requirements can often be daunting and appear complicated. The expertise and experience in our team enables us to guide clients through the process of ensuring that processes are compliant. The size of our team and depth of our experience also enables us to provide you with a rapid and responsive service, ensuring that all relevant deadlines are met.