Outsourcing firm Interserve fined £4.4 million by ICO after cyber attack

The UK’s Information Commissioner’s Office (ICO) has fined UK outsourcer Interserve £4.4 million after a phishing email enabled hackers to gain access to personal data of up to 113,000 of its employees.

The ICO states that Interserve did not implement necessary cyber security defences, using outdated software systems and protocols. The firm was also said to lack adequate staff training and insufficient risk assessments.

“This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud,” said the UK Information Commissioner, John Edwards.

The compromised data included sensitive information like national insurance numbers and bank account details, plus special category data such as ethnic origin, religion, details of any disabilities, and sexual orientation.

“Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company,” added Edwards.

In the case of Interserve, an employee forwarded the phishing email to another employee who downloaded its malware content. The company’s anti-virus software did find and quarantine the virus, but the alert was not thoroughly investigated. Had the case been properly investigated, Interserve would have discovered that the hacker had access to vital company systems.

The attack resulted in 283 systems and 16 accounts being compromised, its anti-virus software uninstalled, and rendering all current and former employees’ personal data unavailable through encryption.

The ICO determined that Interserve broke data protection law by failing to put appropriate technical and organisational measures in place that would have prevented the attack that happened in 2020.

A fine of £4.4m was imposed by the ICO – the fourth largest it has ever imposed.

The ICO has the power to fine those companies that fail to meet relevant regulations with a maximum fine of whichever is higher: £17.5m or 4% of global annual turnover.

In comments made by Edwards about the fine, he called on companies to stop ignoring essential security measures, including updating software and training staff, that leave businesses open to cyber attacks.

Image Source: Peter Nicholls/Reuters