15 December, 2022
The ICO announced that it has issued a fine of £4.4million to Interserve Group Limited, a Berkshire based construction company, for failing to keep personal information of its staff secure. Interserve were deemed to have breached data protection law by failing to put appropriate security measures in place to prevent cyber-attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The compromised data included personal information such as contact details and bank account details, as well as special category data including details of disabilities, ethnic origin, religion, and health information.
In March 2020, an Interserve employee forwarded a phishing email, which was not quarantined or blocked by the Interserve's system, to another employee who opened it and downloaded its content, resulting in the installation of malware onto the employee's workstation. The company's anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company's anti-virus solution.
The ICO investigation found several shortcomings in Interserve's data protection practices. Their notice sets out that between 18 March 2019 and 1 December 2020, Interserve "failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures as required by Articles 5(1)(f) and 32 of the UK GDPR". Article 5(1)(f) states that personal data shall be:
Article 32 of the UK GDPR relates more generally to the security of processing and obliges controllers and processers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed.
When speaking about the investigation, John Edwards, the UK Information Commissioner, stated "this data breach had the potential to cause real harm to Interserve's staff, as it left them vulnerable to the possibility of identity theft and financial fraud." Edwards carried on, saying "the biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company."
When imposing the £4.4 million fine, the ICO said that "having carefully considered" representations from Interserve, it had decided not to reduce the level of the fine, this being the fourth largest it has ever imposed.
The reputational, legal, and financial consequences of committing a data breach on this scale can be severe, if not effectively managed. To put this in context, the ICO can impose a maximum fine for data breaches of £17.5million or 4% of global annual turnover, whichever is higher. It can choose to reduce the level of a fine if a company can offer mitigating arguments.
Key takeaways from this decision include:
The Interserve investigation outcome indicates the willingness of the ICO to hold companies who are considered to have breached data protection laws to account, even if this requires imposes substantial fines. Businesses must make sure that they have appropriate procedures in place that efficiently deal with cyber security incidents, including ensuring that staff regularly undertake training in respect of cyber security and how to deal with these if they occur.
You can view a copy of the ICO's decision notice here: Interserve Group Limited | ICO.
For more information contact Gemma Duxbury in our Governance, Procurement & Information department via email or phone on 0333 207 4239. Alternatively send any question through to Forbes Solicitors via our online Contact Form.
Learn more about our Governance, Procurement & Information department here