News & InfoEP StoreAcademySupportCommunityProducts by Country
Legal & Compliance Home

ICO Warns Against Complacency as it Hands Out £4.4M GDPR Penalty

The Information Commissioner’s Office (ICO) imposes hefty penalty for failing to protect employee personal data, in breach of the UK General Data Protection Regulation (GDPR).
November 16, 2022
ICO Issues 4.4M Penalty

The Information Commissioner’s Office (ICO) has imposed a hefty penalty of £4.4M on UK-based construction company Interserve Group Ltd. for failing to protect employee personal data, in breach of the UK General Data Protection Regulation (GDPR).

Despite falling victim to a cyberattack, the ICO had little sympathy for Interserve, with Information Commissioner John Edwards stating

The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.

Clearly, the ICO is continuing to crack down on companies which don’t take data security seriously. So, what can production teams learn from this decision?

What happened?

In March 2020 a phishing email was sent to Interserve’s accounts team mailbox requesting urgent review of a document. The email wasn’t picked up by Interserve’s email system. An employee monitoring the inbox forwarded it to a colleague who was responsible for paying invoices.

The second colleague opened the email and downloaded the attached zip file. The file installed malware on their computer, giving the hacker access to their system.

Interserve’s anti-virus tool detected the malware and removed it. However, the company failed to take any further steps to investigate the incident and the hacker retained access to the employee’s computer.

The hacker subsequently gained access to Interserve’s IT system. Among other things, the hacker compromized four HR databases containing data relating to 113,000 former and current employees. This data included personal data – such as contact details, national insurance numbers, bank details and salary information – as well as special category personal data, including data relating to ethnic origin, religion, sexual orientation and disabilities.

Two months after the original attack, during a routine maintenance check, Interserve discovered a message on its server stating that it had been hacked. It subsequently reported the attack to the National Cyber Security Centre and the National Crime Agency and submitted a personal data breach notification to the ICO.

The penalty

Following an investigation, the ICO concluded that Interserve had failed to put appropriate technical and organizational measures in place to prevent the cyberattack, in breach of Articles 5(I)(f) and 32 of the UK GDPR.

In particular, the ICO found that Interserve had:

  • Failed to follow up after being alerted to suspicious activity
  • Used outdated software systems and protocols
  • Failed to provide proper staff training (at the time of the incident, only one of the employees who received the phishing email had undertaken data protection training), and
  • Failed to undertake proper risk assessments

According to the ICO, these failures had rendered Interserve vulnerable to a cyberattack.

Takeaways for production

In its decision, the ICO acknowledges that while protecting a business from cyberattacks can feel intimidating, most organizations which get it wrong make preventable mistakes.

With phishing attempts constituting the most common form of cyberattack reported by UK businesses, there are some lessons which can be learned from this decision.

Training, training, training

Because phishers prey on individuals, it’s essential that production teams undergo data protection training so that they can recognize attempted attacks (things like unusual or mis-spelled domain names, poor spelling and grammar and urgent requests to perform a task (such as making a payment) can all be signs that an email isn't what it seems). As demonstrated in this case, accounts teams may be a particular target due to the nature of their role.

Phishers are becoming increasingly sophisticated, so training should be provided on a regular basis to keep data protection top of mind.


In addition to providing regular training, it’s essential that production companies have appropriate data protection policies in place and a means to update and promote these. It’s also important to have a clear audit trail of who’s read and agreed to your policies.

Robust systems

Interserve’s outdated software systems made it vulnerable to a cyberattack. Similarly, personal email systems and devices and unsecure IT networks can leave you exposed if you’re using them to host and share personal data, such as contract and payment information. To reduce your risk, make sure you’re using a secure, cloud-based solution to manage personal data, with added security measures like multi-factor authentication.

For more information on how to secure your production data, check out our guide to information security.

Topic: Security

Related Content

Blue graphic with map of UK and title ICO penalty following ransomware attack

ICO issues £98,000 penalty following ransomware attack

Information Commissioner’s Office (ICO) imposed penalty on a leading UK law firm for breaching the UK...
Topic: UK

UK GDPR Compliance for Productions: Q&A with Sheridans

Special category data, liability, data transfers and reporting - Sheridans answer your questions on the UK...
Topic: UK

The UK GDPR and how Productions can Reduce their Exposure - Q&A with Sheridans

Sheridans’ Associate Krishan Neelendra answers key UK GDPR questions from production companies and...
Topic: UK
UK Court Issues Warning for Personal Data at Work

UK Court Issues Warning for those with Access to Personal Data at Work 

UK Coventry Magistrates’ Court fines a former health adviser £3,000 for unlawfully accessing personal data...
Topic: UK
Cabinet Office fined for disclosing addresses

Cabinet Office Fined £500,000 for Disclosing Addresses of High-Profile Individuals

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for accidentally...
Topic: UK
Blue graphic with map of UK and title ICO fines charity for GDPR breach

ICO Fines Charity £10,000 for UK GDPR Breach

According to the ICO, the charity failed to apply appropriate organizational and technical security...
Topic: UK

UK Production Incentives All Producers Should Know About

Don't miss out on the UK's tax incentives, special programs, and national and regional funding...

Behind the Boom: Why the UK is a Hotspot for Production

Explore the generous industry incentives, talent, and infrastructure available to productions filming in...

Three Mistakes That Can Slow Down Your Production Payroll (And How to Avoid Them)

Stay compliant with UK rules and regulations, and get your crew and talent paid on time, with these...
UK Govt backtracks on growth plan

UK Government Backtracks on Growth Plan: What it Means for Production

Former UK Chancellor Kwasi Kwarteng was replaced by Jeremy Hunt after 38-day run, and policies reversed in...
Topic: UK
Changes to UK Pensions Act

Proposed Changes to the UK Pensions Act Could Impact Production Budgets

Reintroduced bill seeks to give UK government the power to extend pensions auto-enrollment to young and...
Topic: UK
UK Gov Growth Plan

Mini Budget; Big Changes: What the UK Government’s Growth Plan Means for Production 

UK Chancellor Kwasi Kwarteng announces new Growth Plan (aka the “mini budget”) and a big shake up of the...
Topic: UK
Changes to UK right to work checks

Important Changes to UK Right to Work Checks

On September 30, 2022 the UK rules around right to work checks will change. Here’s what productions need...
Topic: UK
Los Angeles Times logo-sq

Hollywood production in U.K. soars to record levels as crews complain of burnout

Spending on film and high-end television shoots reach record-breaking amounts as production activity...
Compliant crew contracting panel-square

Compliant Crew Contracting in the UK

Learn how to ensure your crew contracts are compliant with UK regulations and why the Production Portal is...
Topic: UK

Contracting in a COVID-19 World  

The pandemic has affected how UK production companies contract crew. Here’s how to reduce the impact of...

Terms to Include in UK Crew Contracts

Common terms which studios and production companies include in their UK crew contracts.
Topic: UK
KJ Lamb and Simon Donovan

Empowering the Next Wave of Production Accountants

The EP Production Portal team was delighted to participate in the biannual Netflix Assistant Production...
cell phone with sticky note stating sign here

Six e-Consent Myths (and Why They’re Not True)

Sheridans Associate, Sarmad Saleh, debunks some common e-consent myths.
Topic: Legal

Six Elements for Enforceable UK Crew Contracts

Although parties to a crew contract can largely enter into whatever terms they choose, certain elements...
Topic: UK
recycling conversation

Sustainability in Production: Q&A with Nikki Saunders

Nikki Saunders on sustainable filming practices, COVID-19, and why carbon offsetting isn’t a...
International Film Financing panel-featured

Film Financing Explained: International Financing

International production experts discuss how producers can utilize financing systems outside of the US,...
Crew contracting in the UK-panel

Quick and Compliant Crew Contracting in the UK

Neisha Glynternick and Sarmad Saleh from UK-based entertainment law firm Sheridans discuss crew...
Topic: Legal

Payroll & Finances

PayrollResidualsSmartStartNew SmartTimeProduction PortalEP On LocationSmartAccountingEP LiveSmartPOCASHétPayPaymaster Rate GuideEP Residency

Manage Multiple Productions

AssetHubSmartHubSmartHub Vault
Subscribe now

Be an industry insider with EP's
newsletters and alerts

LegalPrivacy NoticeSecurity
© 2022 Entertainment Partners. All rights reserved.