Companies Can Ill Afford to Become Complacent…
The UK Information Commissioner’s Office (“ICO”) has issued a hefty £4.4 million fine on a Berkshire based construction company, Interserve Group Ltd, for failing to keep the personal information of its staff secure.
The cyber-attack occurred when an Interserve employee forwarded a phishing email to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable. The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data which can include data on ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber-attack. Therefore, Interserve broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.
There is a clear warning from the ICO here, outlining how important it is to ensure that all members of staff receive training, to ensure that they are clear on how to identify potential ransomware and malware attacks. John Edwards, the UK Information Commissioner has given companies a warning “If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.” Edwards outlining in that statement that the ICO will be carrying out enforcement on this (as we have seen throughout this year already https://ico.org.uk/action-weve-taken/enforcement/tuckers-solicitors-llp-mpn/.
To lessen possible fines, you should also be able to demonstrate that you are complying with data protection regulations in so far as it is possible to do so. This may include keeping a record of employee training and assessments, any relevant Data Protection Impact Assessments (“DPIAs”) and any policies in place regarding when and how to install software updates. In doing so, your company is proving to the regulator that you have done your best to mitigate any possible attacks
Similarly here, the attackers have accessed pervious employee data. This is an important point to highlight as this demonstrates a potential issue with data storage as it is not known how long these employees have not worked at the company. Companies should be reminded to ensure a suitable data retention period is in place to provide guidance on when data should be deleted – in line with data storage principles outlined under Article 5 (1e) of the UK GDPR.