Regulator fines a UK construction firm £4.4m for data protection breach caused by ‘complacency’

The UK Information Commissioner has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff.

The warning comes as the Information Commissioner’s Office (ICO) issued a fine of £4,400,000 to construction company Interserve Group for failing to keep personal information of its staff secure. This is a breach of data protection law.

The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

John Edwards, UK Information Commissioner, said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.

”If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

Details of the Interserve data breach

An Interserve employee forwarded a phishing email, which was not quarantined or blocked by the Interserve’s system, to another employee who opened it and downloaded its contents. This resulted in the installation of malware onto the employee’s workstation.

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber attack.

Interserve broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.

The ICO issued Interserve with a ‘notice of intent’ - a legal document that precedes a potential fine. The provisional fine amount was set at £4.4million. Having carefully considered representations from Interserve, no reductions were made to the final fine amount.

Warning for hybrid firms

Sridhar Iyengar, MD for Zoho Europe, commented: “Today the UK’s data watchdog has warned businesses about complacency surrounding cybersecurity, stating it is one of the biggest cyber risks businesses face and it will fine firms who fall short.

”Implementing and executing an effective data privacy policy takes work and commitment. Businesses need to understand where their data security weaknesses reside, before they can address them.

“For example, organisations that opt for a remote or hybrid working model might not have full oversight on who or what is connecting to their networks. Without the right privacy best-practice policies and security measures in-place, there’s nothing to deter employees from using their own, often unprotected, devices, networks and communication channels to handle extremely sensitive business data.

”Training and culture form a core part of how employees operate and leaders must ensure their staff both understand and adopt the right practices to adhere to privacy and security policies.

Firms must also have a clear understanding of how the third party services they employ or partner with are using their staff or customer data.

“This is a common tactic with many third party tracker services for search engines, e-commerce sites and social platforms, and many businesses might not even be aware their data is being surveilled,” said Iyengar.

”Using business applications that are designed with data privacy and security in mind is imperative for organisations looking to remain safe and compliant, and ensuring the data of their customers and employees is safeguarded effectively.”