Privacy & Information Security Law Blog

On October 24, 2022, the UK Information Commissioner’s Office (“ICO”) issued a £4.4 million fine to Interserve Group Limited for failing to keep employee personal data secure, which violates Article 5(1)(f) and Article 32 of the EU General Data Protection Regulation (“GDPR”), during the period of March 2019 to December 2020. The ICO determined that such violations rendered Interserve vulnerable to the cyber attack which took place between March 2020 and May 2020, affecting the personal data of up to 113,000 Interserve employees. The compromised data included contact details, national insurance numbers and bank account details, as well as special category data, including ethnic origin, religion, details of any disabilities, sexual orientation and health information.

The initial cause of the personal data breach was a phishing email sent to an employee that was not quarantined or blocked by Interserve’s systems. This email was forwarded to another employee who viewed and downloaded the content which resulted in the installation of malware onto the employee’s workstation. While Interserve’s anti-virus quarantined the malware and sent an alert, the attacker still had access to Interserve’s systems, which the ICO determined would not have happened, had Interserve thoroughly investigated the activity. The ICO’s investigation found that Interserve failed to follow up on the original alert of a suspicious activity, had in place outdated software systems and protocols and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them exposed and vulnerable to a cyber attack.

In a statement regarding the fine, John Edwards, the UK Information Commissioner, delivered the following message to other organizations: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.” The ICO in this respect, states that to better safeguard people’s data, organizations must regularly monitor for suspicious activity and investigate any initial warnings; update software and remove outdated or unused platforms; provide regular staff training, encourage secure passwords and multi-factor authentication; and update policies and secure data management systems.