The Information Commissioner’s Office (ICO) has fined Interserve Group £4.4m for failing to keep personal information of its 113,000 current and former staff secure. The fine relates to a data breach that took place on 2 May 2020, which the ICO believes was avoidable – a belief that Interserve disputes.
Failing to keep personal information of staff secure is a breach of data protection law.
The ICO found that the company failed to put appropriate security measures in place to prevent the cyber attack. The hackers were able to access the personal data of up to 113,000 employees through a phishing email.
The compromised data included personal information such as contact details, national insurance numbers, and bank account details. The data also included ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
The Interserve data breach
In a statement, the ICO provided details of the May 2020 breach. An Interserve employee forwarded a phishing email to another employee. Interserve’s system failed to quarantine or block the email. The employee opened it and downloaded its content, resulting in malware being installed onto the employee’s workstation.
The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. Had it done so, Interserve would have found that the attacker still had access to the company’s systems, the ICO said.
The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
The ICO investigation found that Interserve failed to follow up on the original alert of suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left it vulnerable to a cyber attack.
Interserve broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.
The ICO issued Interserve with a notice of intent – a legal document that precedes a potential fine. It set the provisional fine amount at £4.4m. The ICO “carefully considered representations from Interserve”, but decided to issue the fine in full.
Interserve offered its account of events in its most recent set of accounts (for 2019, registered at Companies House on 4 March 2021). It said: “On becoming aware of the cyber attack, the group’s crisis response was immediately launched, and its business continuity plans were implemented.”
The group’s construction division (since rebranded as Tilbury Douglas and no longer owned by Interserve Group) was among the parts of the business most affected by the breach.
“As of 24 August 2020, the remediation work carried out across the group had been completed such that the company believes that there is no residual threat,” Interserve stated in the accounts.
The group appointed a new CIO from outside the business. The CIO led an “uplift programme” to ensure that Interserve’s infrastructure, systems and processes were fit for purpose.
The group said it complied with obligations to inform the ICO and was cooperating with its then-investigation.
Furthermore, Interserve has issued a response to the fine and the press release issued by the ICO.
"Interserve has worked extensively with the ICO and the NCSC since first reporting the cyber incident in May 2020. This cooperation and the work done to mitigate the possible impact on individuals are expressly recognised by the ICO in the ICO’s Monetary Penalty Notice (MPN)," the business stated.
"Interserve strongly disputes that its staff and the company’s response were in any way complacent. The statements in the ICO’s press release issued on Monday 24 October 2022 are inconsistent with the ICO’s MPN, which does not reference in any way that Interserve was complacent in its actions.
"In fact, as the ICO recognises in its MPN, Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff.
"It also sought to reduce the risk of future incidents and successfully facilitate the safe and effective ongoing operations of Tilbury Douglas and the facilities management business acquired by Mitie Group plc."
The statement concludes: "Notwithstanding the inconsistencies between the ICO’s MPN and press release and concerns that the ICO has not followed a fair and proper process, Interserve will continue to prioritise the interests of its past and present staff, counterparties and other stakeholders while engaging with the ICO to resolve their investigations."
Cyber security guidance
UK information commissioner John Edwards highlighted the key issue of complacency. He said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff. It left them vulnerable to the possibility of identity theft and financial fraud.
“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and National Cyber Security Centre (NCSC) already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
The ICO said: “Protecting a business from a cyber attack can feel technical or intimidating. But most organisations we see getting it wrong have made preventable mistakes.
“To better safeguard people’s data, organisations must regularly monitor for suspicious activity and investigate any initial warnings; update software and remove outdated or unused platforms; update policies and secure data management systems; provide regular staff training; and encourage secure passwords and multi-factor authentication.”
There is a regulatory requirement to report any cyber attack to the ICO.
Don’t miss out on BIM and digital construction news: sign up to receive the BIMplus newsletter.