RISK

NEWS

Construction company fined £4.4m for data breach

28 Oct 2022

    • The UK Information Commissioner has warned that companies are leaving themselves open to cyberattack by ignoring crucial measures like updating software and training staff. The warning comes as the ICO issued a fine of £4,400,000 to Interserve Group Ltd, a construction company, for failing to keep the personal information of its staff secure. This is a breach of data protection law.

    The ICO found that the company failed to put appropriate security measures in place to prevent a cyberattack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

    The compromised data included personal information such as contact details, national insurance numbers and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation and health information.

    John Edwards, UK Information Commissioner, said:

    “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office. Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud. Cyberattacks are a global concern, and businesses around the world need to take steps to guard against complacency.”

    The breach occurred when an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee's workstation.

    The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If it had done so, Interserve would have found that the attacker still had access to the company’s systems.

    The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

    The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left it vulnerable to a cyberattack.

    Interserve broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.

    The ICO issued Interserve with a ‘notice of intent’ – a legal document that precedes a potential fine. The provisional fine amount was set at £4.4m. Having carefully considered representations from Interserve, no reductions were made to the final fine amount.

    Protecting a business from a cyberattack can feel technical or intimidating, but most organisations getting it wrong have made preventable mistakes.

    To better safeguard people’s data, organisations must regularly monitor for suspicious activity and investigate any initial warnings; update software and remove outdated or unused platforms; update policies and secure data management systems; provide regular staff training; and, encourage secure passwords and multi-factor authentication.

    In the event of a cyberattack, there is a regulatory requirement to report this to the ICO as the data regulator. Earlier in the year, the ICO worked with NCSC to remind organisations not to pay a ransom in case of a cyberattack, as it does not reduce the risk to individuals and is not considered a reasonable step to safeguard data.

    When a personal data breach has occurred, you need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.

    You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it. If you take longer than this, you must give reasons for the delay.

    To notify the ICO of a personal data breach, you need to follow the guidance on the ICO’s website, where you can carry out a self-assessment to help determine whether your organisation needs to report to the ICO. If you decide the personal data breach needs to be reported, you can call the ICO helpline or report it online.