View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 24, 2022

Interserve handed £4.4m fine for failing to act on data breach

The fine came after Interserve failed to secure its network against cyberattack, leaving employee data vulnerable to hackers.

By Ryan Morrison

The Information Commissioner’s Office (ICO) has handed construction company Interserve a £4.4m fine for failing to protect employee data in the wake of a data breach in 2020, prompting the commissioner to urge companies to be proactive in cybersecurity and call for greater global cooperation in cyber resilience due to the growing threat.

Interserve failed to properly monitor its network for security risks or have appropriate training in place (Photo: Kenny Telfer/Shutterstock)
Interserve failed to properly monitor its network for security risks or have appropriate training in place. (Photo by Kenny Telfer/Shutterstock)

Personal and financial information held by Interserve on its 113,000 current and former employees was stolen by an unnamed group of hackers who used a phishing attack in May 2020 to access the servers of the construction company, according to the ICO. It concluded that the company had “failed to put appropriate security measures in place to prevent such an attack”.

Data stolen included contact details, National Insurance numbers and bank account information, the ICO revealed. In addition, hackers were able to access deeply personal details including information on ethnic origin, religion, any disabilities, sexual orientation and health.

A lack of appropriate security measures and monitoring led to the data breach. The phishing email hadn’t been quarantined or blocked by security systems, allowing one employee to forward it to another who then opened it and downloaded the content.

Thousands of employees had data stolen

That download installed malware onto the workstation. At that point the anti-virus quarantined the malware and sent an alert that appears to have been completely ignored by Interserve. If it had acted quickly the company would have found that despite the malware being picked up by the anti-virus, the hacker still had access to the company’s systems.

The hacker compromised 283 different systems within the network and was able to access 16 user accounts that gave further access to personal details. After accessing the information the hacker then uninstalled the anti-virus software and encrypted the stolen data so the company couldn’t gain access without paying a ransom.

Information Commissioner John Edwards warned: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company,” adding that it is vital to regularly monitor for suspicious activity and act quickly.

“If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office,” he cautioned.

Content from our partners
Technology and innovation can drive post-pandemic recovery for logistics sector
How to engage in SAP monitoring effectively in an era of volatility
How to turn the evidence hackers leave behind against them

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”

'Fining to make a point'

Jake Moore, Global security adviser for ESET told Tech Monitor: “There is a fine line between threatening companies to build better protections and actually fining them. The threat is usually enough to put pressure on businesses to place more resources in cybersecurity but it is worthless without fining any of them to make a point.

“The ICO is not out to catch companies and force them to fine but in fact help them understand the true risk to their business and their data. Once data is stolen, the clean up is far greater than any fine could be as knock-on attacks can rapidly starburst affecting millions of people,” said Moore.

Edwards said cyberattacks were a global concern and there was a need for more cooperation to tackle the problem. He is presenting a resolution at the upcoming Global Privacy Assembly in Turkey, made up of 120 data protection and privacy authorities, calling for further collaboration.

“The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based,” he said.

Read more: Cyberattacks are the biggest risk to the UK financial system – Bank of England research

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU