Franchise

ICO fines Interserve £4.4 million in relation to a cyber attack

Details of the incident

On 19 October 2022 the ICO fined Interserve Group Limited (Interserve) £4.4 million in relation to contraventions of Article 5(1)(f) and Article 32 of the GDPR which occurred between 18 March 2019 and 1 December 2020.

On 30 March 2020 a phishing email was sent to Interserve’s accounts team with an urgent request to review a document.  The email and attachment were opened by an employee and downloaded onto their workstation, which executed the installation of malware, giving the hacker access to the employee’s workstation.

When this incident was discovered, Interserve’s team took steps to remove some of the files, but did not verify that all of the malware had been removed.  Malware remained on the employee’s workstation and over the next month the attacker was able to compromise almost 300 systems and uninstall Interserve’s antivirus protection. The hacker encrypted data on the systems and rendered it unavailable to Interserve. 

This further incident was discovered during a maintenance check on 2 May 2020 at which point Interserve notified the National Cyber Security Centre of the incident.

In total, over 113,000 employees’ data were compromised.  The data included information such as contact details, national insurance number and bank details as well as special category data such as health information, gender, sexual orientation and disability information. 

ICO findings

The ICO identified a raft of failings on Interserve’s part in relation to information security.  These included:

  • Basic failures to keep systems up to date, to use standard protections like operating the latest antivirus protection and using out of date protocols;
  • Failure to undertake appropriate vulnerability scanning and penetration testing;
  • Failure to provide appropriate data protection training for its employees;
  • Failings in the initial investigation of the incident;
  • Failure to properly manage access permissions; and
  • Failure to restore data in a timely manner.

It is worth noting that Interserve had information security policies in place, but these were not adhered to.

The ICO decision gives an interesting walk through of aggravating and mitigating factors which influenced the amount of the fine. The starting point for the fine was set at £4 million – a reduction to £3.5m was made for the remedial steps taken (despite earlier failures in this regard). The failure to observe its own policies and procedures and the fact some of the failings were basic security issues which could have been fixed without significant cost and failure to take account of publicly available guidance boosted the fine to £4.5 million. Co-operation with the ICO saw a reduction to £4.4 million. The rest of the factors explored had a neutral effect.

Information security and cyber security in particular are topics which have been receiving a lot of press at the moment. Please see below for our top tips on improving cyber security compliance in your organisation.

Top tips on improving cyber security

Cyber security continues to be a hot topic for all organisations. As demonstrated by the ENISA report, the landscape is evolving, and attackers are becoming more sophisticated. As such, it is vital to ensure cyber security is a central part of your compliance programme. The following (although not an exhaustive list) are some top tips on improving your approach to cyber security.

  1. Consider where the main threats to your cyber security lie and consider how effective the measures you have in place are at addressing them. Those responsible for data protection within an organisation should be satisfied these issues are being addressed even if another team is technically responsible.
  2. Ensure you have appropriate policies and procedures in place and that there is clear ownership of the responsibilities contained in them. A major failing in the Interserve case was the lack of compliance with their own policies. These policies and procedures must be reviewed on a regular basis to ensure they are fit for purpose.
  3. Ensure your systems and cyber security protections are up to date and that your employees are taking steps to complete any updates they need to undertake personally. This is basic, yet it was overlooked by Interserve. Out of date systems and software may no longer receive security updates, creating vulnerabilities which can be exploited. Regular testing will also be necessary to ensure systems/protections are behaving correctly.
  4. Ensure your employees are properly trained. As identified in the ENISA threat report, the most common way in which hackers gain access in ransomware attacks is via phishing.  Consider which teams are most at risk of such an attack and ensure you are undertaking regular and specific training about how to spot a phishing email. You should also offer training more broadly on information security.
  5. Ensure your processes for onboarding and ongoing management of third-party suppliers are fit for purpose. As the ENISA report identified, cyber attackers are increasingly exploiting weaknesses in supply chains in order to get access to a bigger target. Conducting a proper review of your suppliers’ data protection and information security practices when considering whether to onboard a supplier and having an ongoing programme to review this can be a way of reducing these risks.
  6. Check your permissions. Access permissions should be the subject of policies and procedures. Where these are in place, check they are being applied correctly. One of the issues in the Interserve case was the wide permissions granted to employees which, in some cases, included the ability of some individuals to uninstall antivirus protection – this was exploited by the hackers.
  7. Ensure your incident response procedures are robust. Whilst you may not always be able to prevent unauthorised access to your systems, you can control your response and so potentially the damage done by any incident.
  8. Keep up to date with threats in order to identify any new training needs for your organisation.


Share:

Facebook
Twitter
Pinterest
LinkedIn

Related Posts

Don't just take our word for it
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
"We have been working with HelloDPO for several years now and I have always found them to be friendly, approachable and above all professional in their approach. I would have no hesitation in recommending them."
Serena MayDirector, Southern HR Ltd
Serena May
“We have worked with Jenai, Alison and the HelloDPO team for over 5 years as our DPO and have found their advice and support invaluable. They are pragmatic and flexible in the advice they provide, and assist in making data protection compliance apply in a corporate environment. Working with them is like having additional members of our team, and the relationship has flourished over time."
Craig SaundersHead of International Privacy, Aetna Global Benefits (UK) Ltd
Craig Saunders
“The team (Jenai and Lisa) provided DPO services and compliance support to our business for over a year, during which they consistently delivered high quality advice and excellent client service. The demands of the hospitality industry are high and HelloDPO adapted to this quickly and seamlessly – they are responsive, knowledgeable, and pragmatic. They are also a pleasure to work with.”
Frasers Hospitality (UK) Ltd
“We have been working with HelloDPO for nearly a year. The team have been great to work with, highly professional and flexible. Most importantly, they have given clear advice and guidance in what is a very complex area. Well done and we look forward to continuing working with you!”
Ruth HidalgoDirector, Chartered Accountants Worldwide
Ruth Hidalgo
“The HelloDPO team have led us patiently through the intricacies of GDPR over the years, helping us to navigate a careful path to ensure understanding of the rules and therefore compliance with them. HelloDPO are a pleasure to work with and I’d have no hesitation in recommending them to others looking for good, commercial advice in this complex area.”
Sanjay PatelFinance Director, Cadogan Group Limited
“We have recently engaged HelloDPO and the team, led by Jenai, has been responsive, practical and generally very helpful when dealing with our data protection queries. We look forward to what’s on track to becoming a great working relationship!”
Federica CozzaniSenior Legal Counsel, Compre Group
Federica Cozzani
“If you’re looking for trustworthy, pragmatic and diligent legal advisors, say Hello(to)DPO! The team has been a great support to Skyscanner on a broad range of privacy and data protection matters, whether advising at a compliance level or on more acute legal issues. You’ll enjoy considerate, timely and helpful advice, provided by professionals with whom it’s a delight to work.”
Gemma WithamDirector of Legal (Privacy), Group Privacy Officer, Sykscanner Limited
Gemma Witham
“Jenai and Emma are amazing to deal with. They strike the right balance between understanding the business needs while doing it’s fiduciary duty to ensure we are on the right track from a legal, ethical and moral perspective. Working with HelloDPO’s guidance over the past 2 years has enabled X-Mode (now known as Outlogic) to be able to navigate complex and at times uncertain waters with GDPR in a strategic and ethical manner.”
Joshua AntonCEO, Outlogic
Joshua Anton
“A great bespoke service, delivered flexibly by absolute experts in a friendly, collaborative and accessible way. I cannot recommend more highly!"
Clare RussellInterim Head of Legal, Vue UK & Ireland
Clare Russell
“HelloDPO have been brilliant at getting our data compliance into shape. We have come such a long way in our ways of working and they are always on hand to help when we have complicated or urgent issues – they have simply become part of the team."
Josh TowbHead of Business Transformation, Jigsaw
Josh Towb
“The HelloDPO team have provided Channel 4 with a wide range of data protection advice over the years. Alison is always delightful to work with, and her advice is pragmatic and set within a commercial context, which is particularly helpful. HelloDPO runs regular DP Confessionals, which provide our team with a valuable wider industry view and a sense of issues which other organisations are struggling with, and the ways in which they are approaching them."
Rebecca MillerChannel 4
Previous
Next

Subscribe to our privacy news and legislation updates

Subscribe now

We are here to make our data-driven world a more equitable and ethical place to live, work, and thrive by pragmatically balancing our clients’ commercial ambitions with every individual’s right to privacy.

Linkedin
Navigation
Legal & compliance
HelloDPO Law Logo
© 2024 HelloDPO. All rights reserved. The use of any material on the website without our prior written consent is strictly prohibited.

Website developed by Bowler Hat

Data Protection; Demystified