We use cookies to track usage of our site. Details of these can be found on our Cookie Policy. You may choose to decline all tracking cookies, but if you do some key features may not work as expected.

2022-11-24
Legal Articles

Data Protection: security breach results in £4.4m fine for Interserve

Home / Knowledge base / Data Protection: security breach results in £4.4m fine for Interserve

Posted on 24 November 2022

Introduction

The Information Commissioner's Office (ICO) has issued a fine of £4,400,000 to Interserve Group Ltd (Interserve) for breaching the GDPR, when the personal data of up to 113,000 employees was affected due to a ransomware attack in 2020.
This decision has led the ICO issue a warning that organisations are leaving themselves open to cyber attacks by ignoring crucial measures like updating software and training staff.

What happened?

An Interserve employee forwarded a phishing email to another employee who downloaded its content. This resulted in the installation of malware onto the employee's workstation and remote access to the workstation by the attacker.

Although Interserve's endpoint protection tool removed some of the malware, Interserve took no other action to confirm that all malware had been removed. In fact, there was still ongoing, remote access to the workstation.

This allowed 283 systems to be compromised, including four HR databases containing the personal data of up to 113,000 employees, which the attacker encrypted and made unavailable to Interserve. The compromised employee personal data included contact details, national insurance numbers, bank details, salary information, sexual orientation and health information.

Interserve reported the incident to the ICO and the ICO commenced an investigation.

What were the ICO's findings?

  • The ICO found that Interserve had failed to comply with its obligations under the GDPR, namely:
  • the requirement to process personal data in a manner that ensures appropriate security using appropriate technical or organisational measures; and
  • the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The specific issues cited included:

  • a failure to implement appropriate end-point protection and undertake adequate vulnerability scanning and penetration testing;
  • that personal data was being processed on unsupported and outdated operating systems, including the HR systems which processed significant volumes of special category data;
    that appropriate security training was not implemented for all employees;
  • a proper investigation was not undertaken following the initial attack;
  • there was a failure to implement appropriate technical and organisational measures to promptly restore the availability and access to personal data.

The ICO said that many of the above failures were due to Interserve contravening its own information security protocols, as well as industry standards and best practice guidance.

Next steps

This is the fourth biggest fine that the ICO has issued to date. This decision is a reminder that organisations should not behave complacently in relation to cyber security. To comply with the GDPR's security obligations, organisations should:

  • regularly monitor for suspicious activity and investigate any initial warnings;
  • update software and remove outdated or unused platforms;
  • provide regular staff training on data security
    review and update policies and data management systems (the key is to ensure that what happens in practice correlates to the standards set out in policies);
  • undertake testing in relation to phishing and other threats;
  • encourage secure passwords and multi-factor authentication;
  • investigate all incidents promptly to identify the cause of the incident, restore the data and check the integrity of systems (noting that if there is a cyber attack or breach, then there is a requirement to report this to the ICO).

Tags: Data protection and privacy GDPR

Recent articles

green building in woodland
20 October 2025 Key considerations for landowners in promotion agreements

A land promotion agreement is a legally binding contract between a landowner and a land promoter. This type of agreement allows the landowner to benefit from the promoter’s expertise, experience, and financial resources to obtain planning permission for development. Once planning permission is granted, the value of the land usually increases significantly. The land is then sold on the open market, and the sale proceeds are shared between the promoter and the landowner in agreed proportions.

Read article
Logs in a forest
17 October 2025 Social media & the workplace: who owns what at the end of a relationship?

We all know that social media, if used well, it is a fantastic resource for businesses and individuals. However, unwise social media posts risk legal action, particularly if the boundaries of personal and professional life are blurred. Our Employment and Commercial Litigation teams look at some of these legal risks and their consequences and suggest how to avoid these.

Read article
Path in woodland
16 October 2025 Nilsson v Cynberg

This case study is part of a wider article "No Contract. No Problem?" which explores why legal formalities under the Law of Property (Miscellaneous Provisions) Act 1989 matter, what happens when they’re not followed, and how equitable remedies like constructive trusts and proprietary estoppel can sometimes offer a lifeline. Through key cases, it highlights when informal agreements may still hold weight and when “no contract” really does mean “no deal.”

Read article