ICO issue fine of £4.4 to Interserve for security failings

On 24 October 2022, the ICO issued a penalty notice (MPN) to Interserve Group Limited (Interserve), imposing a fine of £4.4m for violations of the GDPR (the violations were pre-Brexit). The ICO found that Interserve had failed to put appropriate technical and organizational measures in place to secure personal data (in contravention of Articles 5(1)(f) and 32 GDPR) for a period of approximately 20 months.

The Incident

The incident followed what is proving to be a familiar fact pattern. A phishing email was sent to a group employee which was designed to appear as though the attached document needed urgent action. Subsequent download and ZIP extraction resulted in the installation of malware onto the workstation giving the threat actor access to that workstation (Patient Zero). This was flagged by Interserve’s end point protection system, which reported automatic removal of malware had been successful. Interserve took no further action to verify this, and the threat actor continued to have ongoing access to the workstation.

Following initial access, a server was compromised which was then used to “move laterally” within the Interserve estate (i.e., moving from the initial point of compromise to other parts of the victim’s IT estate). In the subsequent days, the threat actor compromised 283 systems and 16 accounts (12 being privileged admin accounts) across the estate. A privileged account was then used by the threat actor to uninstall Interserve’s anti-virus solution to prevent detection of malware used by the threat actor. The attacker then compromised four HR databases containing data of 113k employees and former employees. The databases were encrypted and rendered unavailable to Interserve. Regulatory notification followed to the NCA, the NCSC and the ICO.

The personal data held on the compromised databases comprised a common HR data set, including employees’ and former employees’: telephone numbers; email addresses; national insurance numbers; bank account details; marital status’; birth dates; education; countries of birth; genders; number of dependents; emergency contact information, and salary. The databases also held special category personal data including ethnic origin; religion; details of disabilities; sexual orientation, and health information relevant to ill-heath retirement applications. Interestingly, each of these items of information was not necessarily held for each of the 113,000 individuals, rather these categories of information were recorded in the relevant databases. Under Article 33(1) GDPR an organization is only obliged to be able to describe the approximate categories and number of personal data records when notifying the ICO which appears to have been the approach adopted by Interserve.

This week’s £4.4 million fine to Interserve Group Ltd should act as an important lesson. Organizations must ensure they put measures in place to protect their business from cyber-attacks. We’ve listed some top tips below to help you protect your business

Always plan ahead
As the saying goes, fail to prepare and prepare to fail – organisations must consider what to do if faced with a cyber-attack. 

Keep software up to date
The exploitation of known software vulnerabilities is a common method used by attackers, as they often scan for them.

Train you staff to be wary
Attackers use social engineering techniques to trick you into doing something. Your security strategy should include ensuring all relevant staff receive basic awareness training in identifying techniques such as phishing.

Use strong passwords
There are three general requirements for any password system that you will need to consider:
-Password length
-Special characters
-Password deny lists

Keep on top of access rights
You should regularly audit your user accounts to ensure they are still required and contain the appropriate privileges and access rights. Make sure staff haven’t retained access from previous roles that are no longer needed.

Back up your data
Backups are one of the most important controls in mitigating the risk of ransomware. However, attackers may attempt to delete or encrypt your backup. So consider if your current backup strategy could be at risk and perform a threat analysis against your solution. 

Take the Data Protection very seriously and carefully. Protect your data now.