The ICO issues £4.4 million fine for data protection complacency

ICO website Home Screen

The UK Information Commissioner (ICO) has fined Interserve Group Ltd £4.4 million for not keeping the personal data of employees secure. 

As a result of failed data security practices at the firm, hackers used a phishing attack to successfully infiltrate and install malware onto Interserve’s systems. The hackers were then able to access the personal data of up to 113,000 employees. This data included bank account details and special category data which has strict data protection requirements. 

If employees had been properly trained in cyber risk, it is unlikely that they would have opened the malicious email and downloaded its contents. To make matters worse, while the company’s anti-virus software quarantined the malware and sent an alert, “Interserve failed to thoroughly investigate the suspicious activity”. As a result the ICO investigation discovered that Interserve:

  • Failed to follow-up on the original alert of a suspicious activity
  • Used outdated software systems and protocols
  • Had a lack of adequate staff training
  • Had insufficient risk assessments.

All of this left the business vulnerable to a cyber-attack, and by “failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information”, Interserve broke data protection law.

ICO warns that complacency, not hackers, presents biggest cyber risk 

As well as the fine, the ICO has also issued a stark warning to UK businesses that fail to put adequate data protection measures in place. According to the regulator, “companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff”. 

Speaking on this issue John Edwards, the current UK Information Commissioner, said: 

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”

The ICO has also offered some guidance on what organisations must do to stop them making “preventable mistakes”. This includes: 

  • Regularly monitor for suspicious activity
  • Investigating any initial warnings
  • Updating software and removing outdated or unused platforms
  • Updating policies and ensuring there are secure data management systems in place
  • Providing regular staff training
  • Encourage secure passwords and multi-factor authentication.

You can also find out more about the ICO’s ransomware guidance here.

At Keller Postman UK, we are currently investigating the Interserve data breach. If we believe it is liable for the security failure, we may launch a group action claim against the business. If you are affected, sign up to find out more.  

In March 2024, our firm changed its name to KP Law. 

Share this article: