The ICO has handed out its fourth largest fine to date for breach of data security laws. Interserve Group Ltd – the parent company of the Interserve construction business – was fined £4.4m for multiple GDPR contraventions culminating in a data breach affecting 113,000 employees.
The data breach occurred two years ago when an employee unwittingly opened and downloaded the contents of a phishing email from hackers which resulted in the installation of malware. Although Interserve’s anti-virus software initially flagged the attack, the company failed to adequately investigate and respond to it, leaving malware on the recipient’s computer. Following further activity, the hackers were eventually able to access a range of personal employee data on the HR databases and this data was rendered unavailable to Interserve as part of a ransomware attack. Following investigation, the attack was reported by Interserve to the National Cyber Security Centre and subsequently to the ICO and National Crime Agency.
The ICO concluded that the company was in breach of Articles 5(1)(f) and 32 of the GDPR which broadly require a controller to ensure appropriate security using appropriate technical and organisational measures. The reasons included:
- A number of technical failures, including running outdated operating systems and failure to carry out penetration testing
- Not promptly or adequately investigating flagged incidents
- Failure to regularly train staff
- Having too many people with access privileges
Although the company did have certain IT policies and procedures in place, these were simply not implemented effectively and relevant guidance and standards from bodies such as the NCSC and ISO were ignored.
The decision of the ICO is an interesting read, not least because it describes the many factors which were taken into account when determining the level of the fine. The first cited was the nature, gravity and duration of the infringements which resulted in the data breach and the number of people whose potentially sensitive data had been affected – whilst acknowledging only one official complaint had been received by the ICO.
The information commissioner stated that the fine should serve as a reminder to companies to regularly update their software and train their staff adequately: “The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.”