Interserve Group fined over £4 million following employee data breaches

Construction company fined following employee data breaches 

The ICO has exercised its punitive powers once again by issuing a £4.4 million fine to UK based construction company, Interserve Group Ltd (“Interserve”), over a data breach caused by employees. 

The data breach 

The breach occurred after an employee forwarded a phishing email, which had not been flagged or blocked by Interserve’s firewall, to a colleague who subsequently opened and downloaded the contents of the email. The email was embedded with malware which became installed on to the employee’s system. Interserve also then failed to investigate the breach, after its anti-virus had flagged the intrusion. If they had done so, it would have shown that the hackers still had access to the database. 

As a result, between 30 March 2020 and 2 May 2020, the data of 113,000 current and former employees was compromised. The exposed data included personal information, such as contact details, National Insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information. 

ICO investigation 

The ICO investigated the breach and concluded that between 18 March 2019 and 1 December 2020 Interserve had failed to implement adequate security measures to prevent cyber attacks, which resulted vast amounts of data being compromised. This amounted to a breach of Article 5(1)(f) (the need to ensure appropriate measures are in place to protect personal data) and Article 32 (the obligation to ensure security of processing) of the GDPR. 

The investigation found that Interserve failed to follow up on the system alert. Furthermore, the software and protocol structures in place were not fit for purpose. A significant lack of staff training compounded the breach. The ICO determined that Interserve had failed to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information. 

ICO’s comments 

The Information Commissioner, John Edwards, noted that “the biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company” and that other businesses “can expect a similar fine from my office” if they don’t “regularly monitor for suspicious activity in [their] systems and…act on warnings”. 

The ICO issued a ‘notice of intent’ and a subsequent penalty notice of £4.4 million to Interserve on 24 October 2022. 

Data protection lessons to learn 

The ICO’s latest action shows the importance of staff vigilance when it comes to data security. An omission can be just as costly as an action in the eyes of the ICO. 

Organisations must ensure that: 

• Their anti-virus software is kept up to date 
• All members of the organisation are vigilant when interacting with emails 
• Any suspicious emails are deleted and/or reported and 
• Staff are provided with regular and updated data privacy training.