No mercy: £4.4m ICO fine fuels cyber security warning

Firms that fail to regularly monitor for suspicious online activity and act on warnings can expect no mercy when it comes to regulatory action, with the biggest cyber risk they face not being from hackers outside of the company, but from complacency within.

That is the stark warning from Information Commissioner John Edwards following the issuing of a £4.4m fine under UK GDPR to collapsed British construction and support services business Interserve, which allowed hackers to access the personal data of up to 113,000 employees through a phishing email.

The issue dates back to March 2019, the same month that the one-time £2.2bn business went into administration owing creditors over £100m.

At the time, an Interserve employee forwarded a phishing email – which was not quarantined or blocked by the company’s system – to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation.

The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If it had done so, the company would have found that the attacker still had access to its systems.

The ICO investigation found that this rendered Interserve vulnerable to a cyber-attack, which took place in the period March 30 2020 to May 2 2020.

The attacker compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

The ICO ruled that Interserve had failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left it vulnerable to a cyber attack.

In April this year, the regulator issued Interserve with a ‘notice of intent’, setting the provisional fine at £4.4m, and despite representations from Interserve, no reductions were made to the final fine amount.

Commissioner Edwards said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and National Cyber Security Centre already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”

The prospects of recovering the £4.4m fine, however, are not quite so cut and dry, with Interserve now broken up into numerous companies. Following its administration, the firm secured a pre-pack deal, which saw the rest of the group sold to a newly incorporated firm owned by lenders, Interserve Group.

Interserve’s facilities management business was sold to Mitie in December 2020, and RMD Kwikform was sold in October 2021 to France’s Altrad.

In March 2021, Interserve resurrected the Tilbury Douglas brand for its construction and engineering services businesses. Interserve plc was formally wound-up in the High Court in January 2022.

In June 2022, Tilbury Douglas fully separated from Interserve Group and became a standalone construction contracting company. Some smaller assets are expected to be sold before Interserve Group is finally shut down in 2024.