Britain’s data watchdog has fined the construction group Interserve £4.4m after a cyber-attack that enabled hackers to steal the personal and financial information of up to 113,000 employees.
The attack occurred when Interserve ran an outsourcing business and was designated a “strategic supplier to the government with clients including the Ministry of Defence”. Bank account details, national insurance numbers, ethnic origin, sexual orientation and religion were among the personal information compromised.
The Information Commissioner’s Office (ICO) said Interserve Group broke data protection law because the company failed to put appropriate measures in place to prevent the cyber-attack, which happened two years ago.
Interserve’s system failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated. The attack led to 283 systems and 16 accounts being compromised, uninstalled Interserve’s anti-virus system and encrypted all current and former employees’ information.
The ICO said Interserve used outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments.
“This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud,” said John Edwards, the UK information commissioner.
“Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.”
The ICO can impose a maximum fine of £17.5m or 4% of global annual turnover, whichever is higher. It can choose to reduce the level of a fine if a company can offer mitigating arguments.
The ICO said that after “careful consideration” of representations made by Interserve, it had decided not to reduce the level of the fine, which was the fourth largest it has ever imposed.
Commenting on the level of the fine, Edwards said: “The intention is to cause directors and chairmen to sit up and start asking questions of chief executives about cyber preparedness.”
Edwards, who began his five-year term as commissioner in January, said the ICO had about 80 active investigations and opened about 500 a year.
He said ransomware attacks, in which hackers give data back to a company if they are paid off, is the most common type of cyber-attack the ICO dealt with. He warned that paying a ransom would not reduce the level of a fine as it was “not considered a reasonable step to safeguard data”, adding: “We will not concede that the payment of a ransom to recover data is a mitigating factor.”
Last month, the watchdog issued TikTok with a “notice of intent”, a precursor to a potential fine, which could be up to £27m for failing to protect the privacy of children between 2018 and 2020.
In January, the ICO and the National Cyber Security Centre (NCSC), which is part of GCHQ, urged UK companies to bolster their digital security as the Russian invasion of Ukraine loomed.
