Interserve Group fined over £4 million following employee data breaches

3 mins

Posted on 08 Nov 2022

Interserve Group fined over £4 million following employee data breaches

Construction company fined following employee data breaches 

The ICO has exercised its punitive powers once again by issuing a £4.4 million fine to UK based construction company, Interserve Group Ltd (“Interserve”), over a data breach caused by employees. 

The data breach 

The breach occurred after an employee forwarded a phishing email, which had not been flagged or blocked by Interserve’s firewall, to a colleague who subsequently opened and downloaded the contents of the email. The email was embedded with malware which became installed on to the employee’s system. Interserve also then failed to investigate the breach, after its anti-virus had flagged the intrusion. If they had done so, it would have shown that the hackers still had access to the database. 

As a result, between 30 March 2020 and 2 May 2020, the data of 113,000 current and former employees was compromised. The exposed data included personal information, such as contact details, National Insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information. 

ICO investigation 

The ICO investigated the breach and concluded that between 18 March 2019 and 1 December 2020 Interserve had failed to implement adequate security measures to prevent cyber attacks, which resulted vast amounts of data being compromised. This amounted to a breach of Article 5(1)(f) (the need to ensure appropriate measures are in place to protect personal data) and Article 32 (the obligation to ensure security of processing) of the GDPR. 

The investigation found that Interserve failed to follow up on the system alert. Furthermore, the software and protocol structures in place were not fit for purpose. A significant lack of staff training compounded the breach. The ICO determined that Interserve had failed to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information. 

ICO’s comments 

The Information Commissioner, John Edwards, noted that “the biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company” and that other businesses “can expect a similar fine from my office” if they don’t “regularly monitor for suspicious activity in [their] systems and…act on warnings”. 

The ICO issued a ‘notice of intent’ and a subsequent penalty notice of £4.4 million to Interserve on 24 October 2022. 

Data protection lessons to learn 

The ICO’s latest action shows the importance of staff vigilance when it comes to data security. An omission can be just as costly as an action in the eyes of the ICO. 

Organisations must ensure that: 

  • Their anti-virus software is kept up to date 
  • All members of the organisation are vigilant when interacting with emails 
  • Any suspicious emails are deleted and/or reported and 
  • Staff are provided with regular and updated data privacy training.

Piers Leigh-Pollitt

Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).

  • Partner & Compliance Officer for Legal Practice
  • T: +44 (0)118 951 6761
  • Email me

View profile

Mike Hibberd

Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.

  • Legal Director
  • T: +44 (0)118 951 6765
  • Email me

View profile

Declan Bradley

Based in both the City and the UK's South West Declan is an Employment Lawyer with a focus on advising employers and senior executives across a range of industries including technology, media and finance. Declan has over a decade of experience as a UK lawyer, having worked at an international firm before joining Doyle Clayton in 2015.

  • Partner
  • T: +44 (0) 782 518 3655
  • Email me

View profile

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top