Interserve fined £4.4m after staff details accessed by hackers
Cyber attackers accessed the bank details, national insurance numbers and special category data including ethnicity, religion, sexual orientation and health conditions of up to 113,000 Interserve workers, an investigation has found.
Interserve Group – the company created after Interserve plc’s pre-pack administration – has been fined £4.4m by the Information Commissioner’s Office (ICO) for a breach of data protection law.
Interserve had previously reported it was hit by a cyber-attack in May 2020.
Now the ICO has revealed that an Interserve employee forwarded a phishing email, which was not quarantined or blocked by the company’s systems, to a colleague who opened it and downloaded its content, resulting in the installation of malware onto their workstation.
Interserve’s anti-virus mechanism quarantined the malware and sent an alert, but the company failed to thoroughly investigate the suspicious activity, a statement from the ICO said.
The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
The ICO found Interserve used outdated software systems and protocols; failed to follow up on the original alert of a suspicious activity; had a lack of adequate staff training; and carried out insufficient risk assessments.
The company broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information, the watchdog ruled.
UK information commissioner John Edwards said: “The biggest cyber risk businesses face is not from hackers outside their company, but from complacency within their company.
“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”
Since the incident, most of Interserve Group has been either sold or spun off, with its construction arm Tilbury Douglas becoming a standalone contractor in June, although it remains owned by the same shareholders.
Its RMD Kwikform business, which was subject to a separate cyber-attack later in 2020 but not fined by the ICO, was sold to Altrad in October 2021, while Mitie bought Interserve’s facilities management operation in November 2020.
Despite the changes, Interserve Group Ltd remains a registered company.
The ICO has powers to pursue formal recovery action that can result in insolvency, and to nominate insolvency practitioners whose investigations can result in personal claims against directors.
A statement from Interserve Group spokesperson insisted it had cooperated with the ICO and National Cyber Security Centre to minimise the potential impact on the employees.
He added: “The statements in the ICO’s press release issued on Monday 24th October 2022 are inconsistent with the ICO’s [penalty notice], which does not reference in any way that Interserve was complacent in its actions.
“In fact, as the ICO recognises in its [notice], Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff.
“It also sought to reduce the risk of future incidents and successfully facilitate the safe and effective ongoing operations of Tilbury Douglas and the facilities management business acquired by Mitie Group plc.
“Notwithstanding the inconsistencies between the ICO’s [notice] and press release and concerns that the ICO has not followed a fair and proper process, Interserve will continue to prioritise the interests of its past and present staff, counterparties and other stakeholders while engaging with the ICO to resolve their investigations.”
Information contained on this page is provided by an independent third-party content provider. This website make no warranties or representations in connection therewith. If you are affiliated with this page and would like it removed please contact editor @producerpress.com
