The Information Commissioner’s Office (ICO) has handed construction company Interserve a £4.4m fine for failing to protect employee data in the wake of a data breach in 2020, prompting the commissioner to urge companies to be proactive in cybersecurity and call for greater global cooperation in cyber resilience due to the growing threat.
Personal and financial information held by Interserve on its 113,000 current and former employees was stolen by an unnamed group of hackers who used a phishing attack in May 2020 to access the servers of the construction company, according to the ICO. It concluded that the company had “failed to put appropriate security measures in place to prevent such an attack”.
Data stolen included contact details, National Insurance numbers and bank account information, the ICO revealed. In addition, hackers were able to access deeply personal details including information on ethnic origin, religion, any disabilities, sexual orientation and health.
A lack of appropriate security measures and monitoring led to the data breach. The phishing email hadn’t been quarantined or blocked by security systems, allowing one employee to forward it to another who then opened it and downloaded the content.
Thousands of employees had data stolen
That download installed malware onto the workstation. At that point the anti-virus quarantined the malware and sent an alert that appears to have been completely ignored by Interserve. If it had acted quickly the company would have found that despite the malware being picked up by the anti-virus, the hacker still had access to the company’s systems.
The hacker compromised 283 different systems within the network and was able to access 16 user accounts that gave further access to personal details. After accessing the information the hacker then uninstalled the anti-virus software and encrypted the stolen data so the company couldn’t gain access without paying a ransom.
Information Commissioner John Edwards warned: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company,” adding that it is vital to regularly monitor for suspicious activity and act quickly.
“If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office,” he cautioned.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”
'Fining to make a point'
Jake Moore, Global security adviser for ESET told Tech Monitor: “There is a fine line between threatening companies to build better protections and actually fining them. The threat is usually enough to put pressure on businesses to place more resources in cybersecurity but it is worthless without fining any of them to make a point.
“The ICO is not out to catch companies and force them to fine but in fact help them understand the true risk to their business and their data. Once data is stolen, the clean up is far greater than any fine could be as knock-on attacks can rapidly starburst affecting millions of people,” said Moore.
Edwards said cyberattacks were a global concern and there was a need for more cooperation to tackle the problem. He is presenting a resolution at the upcoming Global Privacy Assembly in Turkey, made up of 120 data protection and privacy authorities, calling for further collaboration.
“The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based,” he said.