4 min read

Writen by Zlatko Delev

Posted on: October 28, 2022

ICO issue fine of £4.4 to Interserve for security failings

On 24 October 2022, the ICO issued a penalty notice (MPN) to Interserve Group Limited (Interserve), imposing a fine of £4.4m for violations of the GDPR (the violations were pre-Brexit). The ICO found that Interserve had failed to put appropriate technical and organizational measures in place to secure personal data (in contravention of Articles 5(1)(f) and 32 GDPR) for a period of approximately 20 months.

The Incident

The incident followed what is proving to be a familiar fact pattern. A phishing email was sent to a group employee which was designed to appear as though the attached document needed urgent action. Subsequent download and ZIP extraction resulted in the installation of malware onto the workstation giving the threat actor access to that workstation (Patient Zero). This was flagged by Interserve’s end point protection system, which reported automatic removal of malware had been successful. Interserve took no further action to verify this, and the threat actor continued to have ongoing access to the workstation.

Following initial access, a server was compromised which was then used to “move laterally” within the Interserve estate (i.e., moving from the initial point of compromise to other parts of the victim’s IT estate). In the subsequent days, the threat actor compromised 283 systems and 16 accounts (12 being privileged admin accounts) across the estate. A privileged account was then used by the threat actor to uninstall Interserve’s anti-virus solution to prevent detection of malware used by the threat actor. The attacker then compromised four HR databases containing data of 113k employees and former employees. The databases were encrypted and rendered unavailable to Interserve. Regulatory notification followed to the NCA, the NCSC and the ICO.

The personal data held on the compromised databases comprised a common HR data set, including employees’ and former employees’: telephone numbers; email addresses; national insurance numbers; bank account details; marital status’; birth dates; education; countries of birth; genders; number of dependents; emergency contact information, and salary. The databases also held special category personal data including ethnic origin; religion; details of disabilities; sexual orientation, and health information relevant to ill-heath retirement applications. Interestingly, each of these items of information was not necessarily held for each of the 113,000 individuals, rather these categories of information were recorded in the relevant databases. Under Article 33(1) GDPR an organization is only obliged to be able to describe the approximate categories and number of personal data records when notifying the ICO which appears to have been the approach adopted by Interserve.

This week’s £4.4 million fine to Interserve Group Ltd should act as an important lesson. Organizations must ensure they put measures in place to protect their business from cyber-attacks. We’ve listed some top tips below to help you protect your business

Always plan ahead
As the saying goes, fail to prepare and prepare to fail – organisations must consider what to do if faced with a cyber-attack. 

Keep software up to date
The exploitation of known software vulnerabilities is a common method used by attackers, as they often scan for them.

Train you staff to be wary
Attackers use social engineering techniques to trick you into doing something. Your security strategy should include ensuring all relevant staff receive basic awareness training in identifying techniques such as phishing.

Use strong passwords
There are three general requirements for any password system that you will need to consider:
-Password length
-Special characters
-Password deny lists

Keep on top of access rights
You should regularly audit your user accounts to ensure they are still required and contain the appropriate privileges and access rights. Make sure staff haven’t retained access from previous roles that are no longer needed.

Back up your data
Backups are one of the most important controls in mitigating the risk of ransomware. However, attackers may attempt to delete or encrypt your backup. So consider if your current backup strategy could be at risk and perform a threat analysis against your solution. 

Take the Data Protection very seriously and carefully. Protect your data now.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy