We use cookies to track usage of our site. Details of these can be found on our Cookie Policy. You may choose to decline all tracking cookies, but if you do some key features may not work as expected.

2022-11-24
Legal Articles

Data Protection: security breach results in £4.4m fine for Interserve

Home / Knowledge base / Data Protection: security breach results in £4.4m fine for Interserve

Posted by Laura Steel on 24 November 2022

Laura Steel - Commercial Lawyer
Laura Steel Senior Associate
Sign up for updates

Share article

Introduction

The Information Commissioner's Office (ICO) has issued a fine of £4,400,000 to Interserve Group Ltd (Interserve) for breaching the GDPR, when the personal data of up to 113,000 employees was affected due to a ransomware attack in 2020.
This decision has led the ICO issue a warning that organisations are leaving themselves open to cyber attacks by ignoring crucial measures like updating software and training staff.

What happened?

An Interserve employee forwarded a phishing email to another employee who downloaded its content. This resulted in the installation of malware onto the employee's workstation and remote access to the workstation by the attacker.

Although Interserve's endpoint protection tool removed some of the malware, Interserve took no other action to confirm that all malware had been removed. In fact, there was still ongoing, remote access to the workstation.

This allowed 283 systems to be compromised, including four HR databases containing the personal data of up to 113,000 employees, which the attacker encrypted and made unavailable to Interserve. The compromised employee personal data included contact details, national insurance numbers, bank details, salary information, sexual orientation and health information.

Interserve reported the incident to the ICO and the ICO commenced an investigation.

What were the ICO's findings?

  • The ICO found that Interserve had failed to comply with its obligations under the GDPR, namely:
  • the requirement to process personal data in a manner that ensures appropriate security using appropriate technical or organisational measures; and
  • the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The specific issues cited included:

  • a failure to implement appropriate end-point protection and undertake adequate vulnerability scanning and penetration testing;
  • that personal data was being processed on unsupported and outdated operating systems, including the HR systems which processed significant volumes of special category data;
    that appropriate security training was not implemented for all employees;
  • a proper investigation was not undertaken following the initial attack;
  • there was a failure to implement appropriate technical and organisational measures to promptly restore the availability and access to personal data.

The ICO said that many of the above failures were due to Interserve contravening its own information security protocols, as well as industry standards and best practice guidance.

Next steps

This is the fourth biggest fine that the ICO has issued to date. This decision is a reminder that organisations should not behave complacently in relation to cyber security. To comply with the GDPR's security obligations, organisations should:

  • regularly monitor for suspicious activity and investigate any initial warnings;
  • update software and remove outdated or unused platforms;
  • provide regular staff training on data security
    review and update policies and data management systems (the key is to ensure that what happens in practice correlates to the standards set out in policies);
  • undertake testing in relation to phishing and other threats;
  • encourage secure passwords and multi-factor authentication;
  • investigate all incidents promptly to identify the cause of the incident, restore the data and check the integrity of systems (noting that if there is a cyber attack or breach, then there is a requirement to report this to the ICO).

Tags: Data protection and privacy GDPR

Share article

Laura Steel - Commercial Lawyer

About the author

Laura Steel

Senior Associate

Laura provides commercial legal advice to businesses across a range of sectors

Laura Steel

Laura provides commercial legal advice to businesses across a range of sectors

Recent articles

People services law banner
07 December 2023 The WHorld of Employment Law Episode 2: Christmas Parties!

Season's greetings from Wright Hassall! Welcome to a festive themed second episode of The WHorld of Employment Law with Kash Dosanjh, Associate and Sarah Price, Solicitor as they discuss Christmas parties. During the episode, Kash and Sarah discuss common issues that they have come across as a result of work parties and offer advice to employers on what they can do to mitigate this risk.

Read article
Medical negligence banner
07 December 2023 GP remote consultations prove largely effective

Fears that remote consultations with GPs could be unsafe, leading to misdiagnosis of cancers and other potentially life-threatening conditions, such as stroke and heart attack symptoms, have been largely assuaged by a recent Oxford University-led research study 'Remote by Default'. Having looked at the connection between remote consultations and safety incidents it concluded that for most patients the risks are minimal.

Read article
Real estate law banner
05 December 2023 Is ‘hope value’ a help or hindrance?

'Hope value' was originally introduced to ensure that landowners would receive existing use value (EUV) of their land, plus a premium to reflect future lost earnings. Many now argue that such payments are anachronistic and responsible for the artificial inflation of land prices, so the the Levelling Up and Regeneration Act 2023 (LURA) now gives the Secretary of State the ability to remove, or cap, hope value from CPO-related compensation payments.

Read article