Interserve Group has been slapped with a £4.4m fine for failing to keep the personal information of its staff secure.
The fine, issued by data watchdog the Information Commissioner’s Office (ICO), follows a breach of data protection law in May 2020.
The company was found guilty of failing to put appropriate security measures in place to prevent the cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
Interserve disputes the claim that it or any of its staff were in anyway complacent.
The compromised data included personal information such as contact details, national insurance numbers, and bank account details.
The ICO said: “An Interserve employee forwarded a phishing email, which was not quarantined or blocked by the company’s system, to another employee who opened it and downloaded its content.
“This resulted in the installation of malware onto the employee’s workstation.
“The company’s anti-virus software quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems.
“The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
“The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber attack.”
The ICO issued Interserve with a ‘notice of intent’ – a legal document that precedes a potential fine. The provisional fine amount was set at £4.4m. Having carefully considered representations from Interserve, no reductions were made to the final fine amount.
An Interserve statement said: ‘”Interserve has worked extensively with the Information Commissioner’s Office (ICO) and the National Cyber Security Centre since first reporting the cyber incident in May 2020.
“Interserve strongly disputes that its staff and the company’s response were in any way complacent.
“Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff.
“It also sought to reduce the risk of future incidents and successfully facilitate the safe and effective ongoing operations of Tilbury Douglas and the facilities management business acquired by Mitie Group PLC.
“Interserve will continue to prioritise the interests of its past and present staff, counterparties and other stakeholders while engaging with the ICO to resolve their investigations”
Image credit: solarseven/Shutterstock
Are you a building professional? Sign up for a FREE MEMBERSHIP to upload news stories, post job vacancies, and connect with colleagues on our secure social feed.