We are now seeing larger fines under the GDPR and DPA. Most recently, Interserve Group Ltd has been fined £4,400,000 because of a cyber attack relating to 113,000 employees. The ICO determined that Interserve broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.
Despite Interserve having a number of policies and standards around information security, the breach happened like this:
Key issues
The individual who received the email did not recognise the email as a phishing email. This could have been been mitigated by the provision of effective training, including, specifically, phishing training, and ongoing monitored phishing tests to all employees.
The employee was working from home so the zip file which the employee opened was not routed through Interserve’s Internet Gateway System (designed to restrict access to malicious sites). The ICO determined Interserve was using outdated software systems and protcols, and had insufficient risk assessments within the business.
The system reported that the automated removal of malware files had been successful. But this was not verified at the time, and the attacker still had access to the systems – including access to privileged servers with restricted access. The breach was not identified until a routine maintenance check a month later. The ICO investigation determined that Interserve failed to follow up on the original alert of suspicious activity.
How to prevent such breaches
The ICO statement focuses on training, monitoring and systems – John Edwards, the Information Commissioner said:
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
Written by Victoria Tuffill
31st October 2022
If you are concerned about potential breaches, or what to do if you have a breach, we’d be happy to help. Take a look at our security services or contact us on 01787 277742 or dc@datacompliant.co.uk.