Introduction
The Information Commissioner's Office (ICO) has issued a fine of £4,400,000 to Interserve Group Ltd (Interserve) for breaching the GDPR, when the personal data of up to 113,000 employees was affected due to a ransomware attack in 2020.
This decision has led the ICO issue a warning that organisations are leaving themselves open to cyber attacks by ignoring crucial measures like updating software and training staff.
What happened?
An Interserve employee forwarded a phishing email to another employee who downloaded its content. This resulted in the installation of malware onto the employee's workstation and remote access to the workstation by the attacker.
Although Interserve's endpoint protection tool removed some of the malware, Interserve took no other action to confirm that all malware had been removed. In fact, there was still ongoing, remote access to the workstation.
This allowed 283 systems to be compromised, including four HR databases containing the personal data of up to 113,000 employees, which the attacker encrypted and made unavailable to Interserve. The compromised employee personal data included contact details, national insurance numbers, bank details, salary information, sexual orientation and health information.
Interserve reported the incident to the ICO and the ICO commenced an investigation.
What were the ICO's findings?
- The ICO found that Interserve had failed to comply with its obligations under the GDPR, namely:
- the requirement to process personal data in a manner that ensures appropriate security using appropriate technical or organisational measures; and
- the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The specific issues cited included:
- a failure to implement appropriate end-point protection and undertake adequate vulnerability scanning and penetration testing;
- that personal data was being processed on unsupported and outdated operating systems, including the HR systems which processed significant volumes of special category data;
that appropriate security training was not implemented for all employees; - a proper investigation was not undertaken following the initial attack;
- there was a failure to implement appropriate technical and organisational measures to promptly restore the availability and access to personal data.
The ICO said that many of the above failures were due to Interserve contravening its own information security protocols, as well as industry standards and best practice guidance.
Next steps
This is the fourth biggest fine that the ICO has issued to date. This decision is a reminder that organisations should not behave complacently in relation to cyber security. To comply with the GDPR's security obligations, organisations should:
- regularly monitor for suspicious activity and investigate any initial warnings;
- update software and remove outdated or unused platforms;
- provide regular staff training on data security
review and update policies and data management systems (the key is to ensure that what happens in practice correlates to the standards set out in policies); - undertake testing in relation to phishing and other threats;
- encourage secure passwords and multi-factor authentication;
- investigate all incidents promptly to identify the cause of the incident, restore the data and check the integrity of systems (noting that if there is a cyber attack or breach, then there is a requirement to report this to the ICO).