ICO issues £4.4 million fine for employee data breach - what lessons can be learned?

Together we are Forbes


15 December, 2022

Gemma Duxbury

The ICO announced that it has issued a fine of £4.4million to Interserve Group Limited, a Berkshire based construction company, for failing to keep personal information of its staff secure. Interserve were deemed to have breached data protection law by failing to put appropriate security measures in place to prevent cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details and bank account details, as well as special category data including details of disabilities, ethnic origin, religion, and health information.


In March 2020, an Interserve employee forwarded a phishing email, which was not quarantined or blocked by the Interserve's system, to another employee who opened it and downloaded its content, resulting in the installation of malware onto the employee's workstation. The company's anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company's anti-virus solution.

Lack of policies and training

The ICO investigation found several shortcomings in Interserve's data protection practices. Their notice sets out that between 18 March 2019 and 1 December 2020, Interserve "failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures as required by Articles 5(1)(f) and 32 of the UK GDPR". Article 5(1)(f) states that personal data shall be:

  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction, or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

Article 32 of the UK GDPR relates more generally to the security of processing and obliges controllers and processers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.


When speaking about the investigation, John Edwards, the UK Information Commissioner, stated "this data breach had the potential to cause real harm to Interserve's staff, as it left them vulnerable to the possibility of identity theft and financial fraud." Edwards carried on, saying "the biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company."

When imposing the £4.4 million fine, the ICO said that "having carefully considered" representations from Interserve, it had decided not to reduce the level of the fine, this being the fourth largest it has ever imposed.

What is the impact of this decision and what lessons can be learned?

The reputational, legal, and financial consequences of committing a data breach on this scale can be severe, if not effectively managed. To put this in context, the ICO can impose a maximum fine for data breaches of £17.5million or 4% of global annual turnover, whichever is higher. It can choose to reduce the level of a fine if a company can offer mitigating arguments.

Key takeaways from this decision include:

  1. That businesses must ensure their staff are regularly offered and undertake training surrounding cyber incidents so they are aware of the risks and understand the process of reporting suspicious activities.
  2. It is important that businesses respond to a cyber incident swiftly and efficiently and have appropriate procedures in place when such an incident occurs. The ICO found that Interserve failed to follow-up the original alert of suspicious activity, used outdated software systems and protocols and insufficient risk assessments.
  3. The ICO will consider the size of an organisation when assessing whether its measures in place are reasonable. The ICO considered that the resources available to Interserve aggravated its failures to respond quickly and effectively, ultimately leaving them vulnerable to a cyber-attack.

The Interserve investigation outcome indicates the willingness of the ICO to hold companies who are considered to have breached data protection laws to account, even if this requires imposes substantial fines. Businesses must make sure that they have appropriate procedures in place that efficiently deal with cyber security incidents, including ensuring that staff regularly undertake training in respect of cyber security and how to deal with these if they occur.

You can view a copy of the ICO's decision notice here: Interserve Group Limited | ICO.

For more information contact Gemma Duxbury in our Governance, Procurement & Information department via email or phone on 0333 207 4239. Alternatively send any question through to Forbes Solicitors via our online Contact Form.

Learn more about our Governance, Procurement & Information department here

Social Housing Regulation Bill

Forbes Social Services & Abuse Claims blog series into the IICSA…

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: