Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+

General Data Protection RegulationData protectionLatest NewsTraining needs analysisTraining policies

Interserve fined £4.4m following employee data breach

by Ashleigh Webber 24 Oct 2022
by Ashleigh Webber 24 Oct 2022 Shutterstock
Shutterstock

Interserve has been hit with a £4.4m fine after hackers were able to gain access to employees’ personal data, including bank details, national insurance numbers and health information.

The Information Commissioner’s Office (ICO) found that the outsourcing and construction firm failed to put appropriate security measures in place to prevent a cyber attack, which resulted in hackers gaining access to the personal data of up to 113,000 employees through a phishing email.

The data obtained included contact details, national insurance numbers, bank account details, and information about characteristics including ethnic origin, religion, disabilities, sexual orientation and health conditions.

One employee forwarded a phishing email to a colleague, who opened it and downloaded its content. This resulted in malware being installed onto the employee’s workstation, through which a hacker was able to gain access to the company’s systems and accounts and encrypt the data of former and current employees.

Although the company’s anti-virus software alerted the company about the malware, Interserve failed to thoroughly investigate it. The ICO found its systems and protocols to be outdated, and identified a lack of staff training and sufficient risk assessments.

Data protection

What has cyber security got to do with HR?

GDPR: H&M fined record £32m for intrusive ‘people analytics’

UK information commissioner John Edwards warned organisations that complacency was the biggest cyber risk they faced.

He said: “If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”

Interserve went into administration in March 2019 and was broken up with various business units sold to Mitie, Altrad and Tilbury Douglas.

A statement from Interserve said: ”Interserve has worked extensively with the Information Commissioner’s Office and the National Cyber Security Centre since first reporting the cyber incident in May 2020.

“Interserve strongly disputes that its staff and the company’s response were in any way complacent.Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff.

“It also sought to reduce the risk of future incidents and successfully facilitate the safe and effective ongoing operations of Tilbury Douglas and the facilities management business acquired by Mitie Group PLC.

“Interserve will continue to prioritise the interests of its past and present staff, counterparties and other stakeholders while engaging with the ICO to resolve their investigations.”

Sridhar Iyengar, managing director at software firm Zoho Europe, warned that organisations with a remote or hybrid working policy might not have full oversight of who or what is connecting to their networks, so effective data privacy policies and procedures should be implemented.

He said: “Without the right privacy best-practice policies and security measures in-place, there’s nothing to deter employees from using their own, often unprotected, devices, networks and communication channels to handle extremely sensitive business data. Training and culture form a core part of how employees operate and leaders must ensure their staff both understand and adopt the right practices to adhere to privacy and security policies.

“In addition, businesses must also have a clear understanding of how the third party services they employ or partner with might be harvesting, selling or using their staff or customer data. This is a common tactic with many third party tracker services for search engines, e-commerce sites and social platforms, and many businesses might not even be aware their data is being surveilled. Using business applications that are designed with data privacy and security in mind is imperative for organisations looking to remain safe and compliant, and ensuring the data of their customers and employees is safeguarded effectively.”

HR Director opportunities on Personnel Today

Sign up to our weekly round-up of HR news and guidance

Receive the Personnel Today Direct e-newsletter every Wednesday

OptOut
This field is for validation purposes and should be left unchanged.


Browse more HR director jobs

 

Ashleigh Webber

Ashleigh is a former editor of OHW+ and former HR and wellbeing editor at Personnel Today. Ashleigh's areas of interest include employee health and wellbeing, equality and inclusion and skills development. She has hosted many webinars for Personnel Today, on topics including employee retention, financial wellbeing and menopause support.

previous post
Report recommends office space ‘sweet spot’ for productivity
next post
Eight in 10 vote for strike at universities

You may also like

Restaurant tips should be included in holiday pay

21 May 2025

Fewer workers would comply with a return-to-office mandate

21 May 2025

Redefining leadership: From competence to inclusion

21 May 2025

Pay awards in real terms could fall for...

21 May 2025

Ryanair demands flight attendants pay back salary increase

21 May 2025

Consultation launched after Supreme Court ‘sex’ ruling

20 May 2025

Uncertainty over law hampering legal use of medical...

20 May 2025

Black security manager awarded £360k after decade of...

20 May 2025

Employers ‘worryingly’ ignorant about stress risk assessments

20 May 2025

UK and EU agree to collaborate on ‘youth...

19 May 2025

  • 2025 Employee Communications Report PROMOTED | HR and leadership...Read more
  • The Majority of Employees Have Their Eyes on Their Next Move PROMOTED | A staggering 65%...Read more
  • Prioritising performance management: Strategies for success (webinar) WEBINAR | In today’s fast-paced...Read more
  • Self-Leadership: The Key to Successful Organisations PROMOTED | Eletive is helping businesses...Read more
  • Retaining Female Talent: Four Ways to Reduce Workplace Drop Out PROMOTED | International Women’s Day...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2025

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2025 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Maternity & paternity
    • Shared parental leave
    • Redundancy
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • Brightmine
    • Learn more
    • Products
    • Free trial
    • Request a quote
  • Webinars
  • Advertise
  • OHW+