Interserve has been hit with a £4.4m fine after hackers were able to gain access to employees’ personal data, including bank details, national insurance numbers and health information.
The Information Commissioner’s Office (ICO) found that the outsourcing and construction firm failed to put appropriate security measures in place to prevent a cyber attack, which resulted in hackers gaining access to the personal data of up to 113,000 employees through a phishing email.
The data obtained included contact details, national insurance numbers, bank account details, and information about characteristics including ethnic origin, religion, disabilities, sexual orientation and health conditions.
One employee forwarded a phishing email to a colleague, who opened it and downloaded its content. This resulted in malware being installed onto the employee’s workstation, through which a hacker was able to gain access to the company’s systems and accounts and encrypt the data of former and current employees.
Although the company’s anti-virus software alerted the company about the malware, Interserve failed to thoroughly investigate it. The ICO found its systems and protocols to be outdated, and identified a lack of staff training and sufficient risk assessments.
UK information commissioner John Edwards warned organisations that complacency was the biggest cyber risk they faced.
He said: “If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”
Interserve went into administration in March 2019 and was broken up with various business units sold to Mitie, Altrad and Tilbury Douglas.
A statement from Interserve said: ”Interserve has worked extensively with the Information Commissioner’s Office and the National Cyber Security Centre since first reporting the cyber incident in May 2020.
“Interserve strongly disputes that its staff and the company’s response were in any way complacent.Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff.
“It also sought to reduce the risk of future incidents and successfully facilitate the safe and effective ongoing operations of Tilbury Douglas and the facilities management business acquired by Mitie Group PLC.
“Interserve will continue to prioritise the interests of its past and present staff, counterparties and other stakeholders while engaging with the ICO to resolve their investigations.”
Sridhar Iyengar, managing director at software firm Zoho Europe, warned that organisations with a remote or hybrid working policy might not have full oversight of who or what is connecting to their networks, so effective data privacy policies and procedures should be implemented.
He said: “Without the right privacy best-practice policies and security measures in-place, there’s nothing to deter employees from using their own, often unprotected, devices, networks and communication channels to handle extremely sensitive business data. Training and culture form a core part of how employees operate and leaders must ensure their staff both understand and adopt the right practices to adhere to privacy and security policies.
“In addition, businesses must also have a clear understanding of how the third party services they employ or partner with might be harvesting, selling or using their staff or customer data. This is a common tactic with many third party tracker services for search engines, e-commerce sites and social platforms, and many businesses might not even be aware their data is being surveilled. Using business applications that are designed with data privacy and security in mind is imperative for organisations looking to remain safe and compliant, and ensuring the data of their customers and employees is safeguarded effectively.”
HR Director opportunities on Personnel Today