The parent company of a construction business, Interserve Group Ltd (Interserve), has been hit with one of the biggest fines to date by the Information Commissioner’s Office (ICO) for £4,400,000 for failure to protect the personal data of up to 113,000 employees following a cyberattack.
The message is clear from the ICO: the biggest cyber risk to businesses is internal complacency and not necessarily external hackers. In the words of the UK Information Commissioner, John Edwards: “If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
Cyberattack v Employer Response
The cyberattack started when an Interserve employee (who was working from home) was sent a phishing email that was not quarantined or blocked by Interserve’s system. The employee had forwarded this email to another employee, who downloaded the contents. They had therefore unwittingly installed malware onto their device and provided the hacker with remote access to their workstation.
In response to the cyberattack, initially, Interserve’s anti-virus software took action to remove some of the files containing malware and sent an alert. However, following this, Interserve failed to undertake a sufficient investigation and it took no further action to ensure that all malware had been removed from its systems. The hacker continued to have ongoing access to the employee’s workstation.
The hacker was then able to access other Interserve systems, including HR databases which contained details of national insurance numbers and bank accounts of employees but also special category data (including ethnic origin, details of any disabilities, and sexual orientation).
Once Interserve became aware of the full extent of the cyberattack it promptly reported the incident to the ICO.
ICO Instigation and Outcome
Following the ICO’s investigation, it determined that Interserve had failed to comply with its obligations under:
- Article 5(1)(f) of the GDPR: the requirement to process personal data in a manner that ensures appropriate security using appropriate technical or organisational measures; and
- Article 32 of the GDPR: the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The ICO based its decision on the following factors:
- Unsupported and outdated operating systems: Processing personal data on unsupported and outdated operating systems (including the HR systems which processed significant volumes of sensitive personal information), which were no longer the subject of security updates to fix known vulnerabilities.
- End-point protection: Failure to implement appropriate end-point protection.
- Security training: Failure to implement appropriate and effective security training for all employees.
- Investigation: Failure to conduct an effective and timely investigation following the initial attack which included the failure to forensically examine the cause of the attack.
- Account access: Failure to effectively manage privileged accounts access. There was an excessive number of staff who had wide ranging account privileges whereby the hacker was able to compromise multiple accounts which had permission to uninstall anti-virus software.
- Protocols: Acting in conflict with Interserve’s own internal information security protocols, as well as industry standards and best practice guidance.
As a result of the above failings and given the sheer volume and nature of sensitive personal data involved, the ICO issued Interserve with a fine of £4,400,000. It is yet to be seen whether Interserve will choose to appeal against the ICO’s fine.
ICO’s change in approach
Whilst there is a continuing trend of increased enforcement action for non-compliance by the ICO, there appears to be a change in approach by how the ICO reaches a decision.
Previously when the ICO investigated personal data breach incidents, it tended to focus mainly on the relevant chain of events and steps that could have been taken to prevent the incident in question. In this case, the ICO took a much broader approach and forensically examined whether Interserve generally had appropriate technical and organisational measures in place to adequately protect personal data, rather than focusing solely on the security controls directly linked to the incident in question.
This change in approach by the ICO and the decision it reached in this case, should serve as a red flag to employers that there’s no place for complacency in relation to its security measures to protect personal data.
Practical steps for employers
A cyberattack is not just a possibility but an actual reality.
Prevention is (nearly) always better than cure. There are therefore a number of proactive measures that employers should be taking to best ensure compliance with the GDPR’s security obligations:
- Training and culture: Provide employees at all levels of the business with effective and ongoing cyber security training. Training should be practical and interactive, such as periodically sending phishing emails to test cyber awareness and defence. Consider disciplinary action where employees fail to adhere to comply with the right practices or adhere to privacy and security policies.
- Security policy updates: Review and refresh information security policies as well as test the practical application of the policies to ensure it is up to the required standard.
- Data privacy policies and procedures: Where an employer has a remote or hybrid working policy in place it may not have full oversight of who or what is connecting to their networks, so effective data privacy policies and procedures should be implemented. Alongside this, employees should be sufficiently trained and made aware of the risks.
- IT infrastructure and operating systems: Assess and periodically update IT infrastructure and operating systems as well as carry out penetration and other resilience training.
A cyberattack is unlikely to always be preventable. Where there is a cyberattack, employers need to act fast. All such incidents should be immediately and thoroughly investigated with the purpose of getting to the root cause of the incident and to protect and restore the status quo of the personal data.