ICO Warns Against Complacency as it Hands Out £4.4M GDPR Penalty

The Information Commissioner’s Office (ICO) has imposed a hefty penalty of £4.4M on UK-based construction company Interserve Group Ltd. for failing to protect employee personal data, in breach of the UK General Data Protection Regulation (GDPR).

Despite falling victim to a cyberattack, the ICO had little sympathy for Interserve, with Information Commissioner John Edwards stating: 

The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.

Clearly, the ICO is continuing to crack down on companies which don’t take data security seriously. So, what can production teams learn from this decision?

What happened?

In March 2020 a phishing email was sent to Interserve’s accounts team mailbox requesting urgent review of a document. The email wasn’t picked up by Interserve’s email system. An employee monitoring the inbox forwarded it to a colleague who was responsible for paying invoices.

The second colleague opened the email and downloaded the attached zip file. The file installed malware on their computer, giving the hacker access to their system.

Interserve’s anti-virus tool detected the malware and removed it. However, the company failed to take any further steps to investigate the incident and the hacker retained access to the employee’s computer.

The hacker subsequently gained access to Interserve’s IT system. Among other things, the hacker compromized four HR databases containing data relating to 113,000 former and current employees. This data included personal data – such as contact details, national insurance numbers, bank details and salary information – as well as special category personal data, including data relating to ethnic origin, religion, sexual orientation and disabilities.

Two months after the original attack, during a routine maintenance check, Interserve discovered a message on its server stating that it had been hacked. It subsequently reported the attack to the National Cyber Security Centre and the National Crime Agency and submitted a personal data breach notification to the ICO.

The penalty

Following an investigation, the ICO concluded that Interserve had failed to put appropriate technical and organizational measures in place to prevent the cyberattack, in breach of Articles 5(I)(f) and 32 of the UK GDPR.

In particular, the ICO found that Interserve had:

• Failed to follow up after being alerted to suspicious activity
• Used outdated software systems and protocols
• Failed to provide proper staff training (at the time of the incident, only one of the employees who received the phishing email had undertaken data protection training), and
• Failed to undertake proper risk assessments

According to the ICO, these failures had rendered Interserve vulnerable to a cyberattack.

Takeaways for production

In its decision, the ICO acknowledges that while protecting a business from cyberattacks can feel intimidating, most organizations which get it wrong make preventable mistakes.

With phishing attempts constituting the most common form of cyberattack reported by UK businesses, there are some lessons which can be learned from this decision.

Training, training, training

Because phishers prey on individuals, it’s essential that production teams undergo data protection training so that they can recognize attempted attacks (things like unusual or mis-spelled domain names, poor spelling and grammar and urgent requests to perform a task (such as making a payment) can all be signs that an email isn't what it seems). As demonstrated in this case, accounts teams may be a particular target due to the nature of their role.

Phishers are becoming increasingly sophisticated, so training should be provided on a regular basis to keep data protection top of mind.

Policies

In addition to providing regular training, it’s essential that production companies have appropriate data protection policies in place and a means to update and promote these. It’s also important to have a clear audit trail of who’s read and agreed to your policies.

Robust systems

Interserve’s outdated software systems made it vulnerable to a cyberattack. Similarly, personal email systems and devices and unsecure IT networks can leave you exposed if you’re using them to host and share personal data, such as contract and payment information. To reduce your risk, make sure you’re using a secure, cloud-based solution to manage personal data, with added security measures like multi-factor authentication.

For more information on how to secure your production data, check out our guide to information security.