Britain’s data regulator the Information Commissioner’s Office (ICO) recently fined Interserve, a UK-based construction group £4.4 million, following a cyber-attack that allowed threat operators to steal the financial and personal data of around 113,000 employees.

The cyber-attack happened when the construction group operated as an outsourcing business and became designated as a “strategic supplier to the British government taking on elite clients such as the Ministry of Defence, among other. Among the personally identifiable information (PII) that was compromised were, bank account details, ethnic origin, national insurance numbers, religion, and sexual orientation.

Failing to protect data subjects

The ICO has stated that Interserve broke UK data protection law when they failed to put in place appropriate measures to stop the cyber-attack, which occurred around two years ago.

The construction group’s system failed to block a phishing email that a staff member downloaded, and a subsequent alert from the anti-virus it used was not adequately investigated. The result of the attack was that 283 systems and a total of 16 accounts were compromised, Interserve’s anti-virus system was uninstalled and all its present and former employees’ PII was encrypted.

The ICO commented that Interserve had deployed outdated protocols and software systems, displayed insufficient staff training, and conducted inadequate risk assessments. UK Information Commissioner, John Edwards, commented:

“This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud. Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.”

Weighty fines for firms who fail in their responsibilities

According to UK legislation, the ICO is currently entitled to issue a maximum fine of £17.5 million or 4 per cent of a company’s global annual turnover, depending on which figure is greater. It can, however, choose to reduce how severe the fine is when an enterprise can provide mitigating arguments.

The UK data regulator said that following “careful consideration” of the representations of Interserve, it had opted to not reduce the level of the £4.4 million fine, which is to date, the fourth largest fine ever imposed by the ICO.

Asked about the level of the fine, the Information Commissioner said:

“The intention is to cause directors and chairmen to sit up and start asking questions of chief executives about cyber preparedness.”

As current commissioner, Edwards began his five-year role in January this year and added that, at present, the ICO has approximately 80 active investigations and has close to 500 each year.

He commented that ransomware attacks, where hackers return data to an enterprise when they are paid, is now the most typical type of cyber-threat that the ICO deals with. Edwards warned that paying ransom demands does not reduce the level of ICO fines as it is not accepted a reasonable method of safeguarding data.

To avoid fines, it is vital that firms attend immediately to required security updates and put appropriate measures in place to stop cyber-attacks.