A British construction company is facing fines of more than £4m by the data protection regulator after a cyber-attack enabled hackers to steal the personal and financial information of up to 113,000 employees.
The attack occurred when the Interserve Group, which is based in Berkshire, ran an outsourcing business and was designated a “strategic supplier to the government with clients including the Ministry of Defence”.
But bank details, NI numbers, details of ethnic origin, sexual orientation and religion were among the huge cache of personal information compromised.
The Information Commissioner’s Office (ICO) ruled Interserve broke data protection law because it did not institute appropriate measures to prevent the cyber attack.
Information Commidssioner John Edwards said: “This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
“Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.”
The incident, which happened two years ago, was caused after an employee downloaded a phishing email while a subsequent anti-virus alert was not properly investigated.
It is believed that the worker unwittingly downloaded malware to their machine which was flagged for attention by the company’s antivirus (AV) software.
According to the ICO details, the hack caused 283 systems and 16 accounts to be compromised, uninstalled Interserve’s anti-virus system and encrypted all current and former employees’ information.
There were outdated software systems and protocols, a lack of training and insufficient risk assessments.
The ICO can impose a maximum fine of £17.5m or 4% of global annual turnover, whichever is higher. It can choose to reduce the level of a fine if a company can offer mitigating arguments.
The ICO said that after “careful consideration” of representations made by Interserve, it had decided not to reduce the level of the fine, which was the fourth largest it has ever imposed.
Commenting on the level of the fine, Edwards said: “The intention is to cause directors and chairmen to sit up and start asking questions of chief executives about cyber preparedness.”
Edwards, who started his five-year teneure as Information Commissioner in January, said the ICO had about 80 active investigations and opened about 500 a year.
The ICO says that ransomware attacks, where the hackers return data in return for cash (often crypto-currency), is the most common type of cyber crime it deals with.
Edwards warned paying a ransom would not reduce the level of a fine as it was “not considered a reasonable step to safeguard data”.
He added: “We will not concede that the payment of a ransom to recover data is a mitigating factor.”
Last month, the watchdog issued TikTok with a “notice of intent”, a precursor to a potential fine, which could be up to £27m for failing to protect the privacy of children between 2018 and 2020.
In January 2022, the ICO and the National Cyber Security Centre (NCSC), which is part of GCHQ, urged United Kingdom companies to bolster their digital security as the Russian invasion of Ukraine loomed.
Russia is suspected to be behind many of the cyber attacks on Western businesses, although this has not been overwhelmingly proven.
Security experts are in a constant war with cyber criminals who use ransomware to extort money out of large companies whose activities are wholly dependent on the security of their web operation to conduct their business successfully. Any business where logistics are a key component tends to be susceptible to attack.