Interserve fined £4.4million for breaches of data protection law

The Information Commissioner’s Office has fined Interserve Group Ltd £4.4million for breaches of data protection law which led to the loss of significant amounts of employee personal information.

Between March and May 2020, hackers were able to access, and encrypt, personal data of up to 113,000 of Interserve’s current and former employees (including contact details, NI numbers, bank account details, and other special category personal data) through the use of a phishing email. The phishing email, which was not blocked by Interserve’s system, was received by one employee and subsequently forwarded on to another employee, who downloaded the corrupted attachments. Once downloaded, hackers were able to install malware on that workstation and ultimately gain access to the employee personal data, as well as remove Interserve’s anti-virus software.

After becoming aware of the breach, Interserve submitted a personal data breach notification to the ICO on 5 May 2020. The ICO commenced its investigation into the incident and ultimately decided that there had been a breach of data protection law. It found that “during 18 March 2019 and 1 December 2020, Interserve failed to process personal data in a manner that ensured appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR”.

The ICO relied on, amongst other things, the following matters:

• Interserve was processing personal data on unsupported operating systems which were no longer the subject of security updates to fix known vulnerabilities in the system;
• Interserve failed to implement appropriate end-point protection;
• Interserve failed to undertake adequate vulnerability scanning and penetration testing;
• One of the two employees who received the phishing email had not undertaken data protection training;
• Interserve had in place outdated protocols;
• The matter was not fully investigated following the initial attack, with it being reported that the malware had been removed when in fact the hacker had retained access and was able to proceed with a further attack; and
• A total of 280 employees were given domain privileges, allowing them wide system rights including, for example, to uninstall anti-virus software.

It stated that Interserve ought reasonably to have been aware of the risks posed by these failures.

As the supervisory authority for the UK, the ICO has the power to notify controllers of alleged infringement and to impose fines or other corrective measures. Fines must be “effective, proportionate and dissuasive in each individual case” and the ICO can impose a maximum fine of up to £17.5million, or up to 4% of a company’s worldwide annual turnover, whichever is the higher.

On 27 April 2022, the ICO issued Interserve with a Notice of Intent, setting a provisional fine amount of £4.4million. The Notice of Intent was subsequently updated in September 2022. The ICO can choose to reduce the level of a fine if a company is able to offer mitigating arguments. Interserve did provide written representations in respect of the Notice of Intent and the updated Notice of Intent, disputing claims that the cyber-attack was avoidable and that it, and its staff, were complacent in their response to the incident. It argued that the company took extensive steps to resolve the incident, mitigate the potential impact, and ensure its infrastructure, systems and processes were fit for purpose going forward.

Notwithstanding this, on 24 October 2022 the ICO said that after “careful consideration” of representations made by Interserve, it had decided that the contraventions were sufficiently serious to justify issuing a penalty in addition to its corrective powers and the contraventions were serious enough to justify a significant fine. It therefore decided not to reduce the level of the fine, which was the fourth largest it has ever imposed. It issued Interserve with a monetary penalty notice to this effect. In reaching this decision, the ICO had regard to, amongst other things, (a) the nature, gravity and duration of the infringement, (b) the intentional or negligent character of the infringement, (c) any mitigating actions taken, (d) the degree of cooperation with the ICO, and (e) the categories of personal data affected.

This serves as an important reminder for businesses to be alert to the very real threat of data protection breaches and cyber-attacks. Businesses should ensure that they have robust systems in place to protect against attacks and policies and procedures to mitigate the impact if attacks or breaches do occur. It is also imperative that all staff members are given regular training on how to comply with these policies and procedures. This applies to businesses of all sizes, and it is clear from the above that failing to comply with these precautions can lead to severe consequences.

We would be happy to assist any client with implementing these policies or reviewing their current organisational compliance and training procedures.