UK: ICO fines Interserve Group £4.4M for inadequate data security measures following cyberattack
The Information Commissioner's Office ('ICO') published, on 24 October 2022, a monetary penalty notice, in which it imposed a fine of £4.4 million on Interserve Group Limited, for violations of Articles 5(1)(f) and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an investigation by the ICO and the receipt of a personal data breach notification by Interserve.
Background to the decision
In particular, the ICO stated that a cyberattack was suffered by Interserve after a phishing email was sent to Interserve's accounts team mailbox, which installed malware onto workstations and gave the cyber-attacker access to personal data. More specifically, the ICO noted that the attacker had compromised Interserve's servers which contained personal data, including that of a sensitive nature, relating to up to 113,000 individuals. In this regard, the ICO specified that such personal data included telephone numbers, email addresses, national insurance numbers, bank account details, marital status, birth date, education, country of birth, gender, number of dependants, emergency contact information, and salaries.
Findings of the ICO
Notably, the ICO found that the following conduct of Interserve had contributed to a breach of Article 5(1)(f) of the GDPR:
- processing personal data on unsupported operating systems, which were no longer the subject of security updates to fix known vulnerabilities;
- failing to implement appropriate end-point protection;
- failure to implement appropriate and effective information training of employees;
- failure to update protocols;
- failure to conduct an effective and timely investigation into the cause of the initial attack; and
- failure to effectively manage privileged accounts access.
Furthermore, in light of the above mentioned deficiencies in Interserve's data security measures, the ICO also found that Interserve had failed to implement appropriate technical and organisational measures to ensure the ongoing confidentiality, integrity, availability, access, and resilience of its processing systems and services contrary to Article 32(1)(b) and (c) of the GDPR. Additionally, the ICO stated that Interserve had failed to regularly test, assess, and evaluate the effectiveness of technical and organisational measures for ensuring security of processing contrary to Article 32(1)(d) of the GDPR.
In light of the above, the ICO imposed a fine of £4.4 million for breaches of the GDPR, noting that the fine must be paid by 21 November 2022 at the latest.