Brian Sims

ICO fines Interserve Group Ltd £4.4 million for major data protection breach

THE INFORMATION Commissioner has warned that companies are “leaving themselves open to cyber attack” by ignoring crucial measures like updating software and training members of staff. The warning comes as the Information Commissioner’s Office (ICO) issued a fine of £4,400,000 to the Interserve Group Ltd, the Berkshire-based construction company, for failing to keep the personal information of its staff secure. This is a breach of data protection law.

The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing e-mail.

The compromised data included personal information such as contact details, National Insurance numbers and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation and health-related information.

John Edwards, the UK’s Information Commissioner, said: “The biggest cyber risk businesses face is not from hackers outside of their company, but rather from complacency within their business. If any given business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or otherwise doesn’t update software and fails to provide training for its members of staff, then they can expect a similar fine from my office.”

Edwards continued: “Leaving the door open to cyber attackers is never acceptable, especially so when dealing with people’s most sensitive pieces of personal information. This data breach had the potential to cause real harm to Interserve’s staff as it left them vulnerable to the possibility of identity theft and financial fraud.”

Further, Edwards observed: “Cyber attacks are a global concern. Businesses around the world need to take steps to guard against complacency. The ICO and the National Cyber Security Centre already work together to offer advice and support to businesses.”

Background to the data breach

An Interserve Group Ltd employee forwarded a phishing e-mail, which was not quarantined or blocked by Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware on the employee's workstation.

The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If the organisation had done so, Interserve would have found that the attacker still had access to the company’s systems.

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. The personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols and had a lack of adequate staff training and insufficient risk assessments in place, which ultimately left the company vulnerable to a cyber attack.

Interserve broke data protection law by failing to put appropriate technical and organisational measures in place in order to prevent the unauthorised access of people’s information.

The ICO issued Interserve with a ‘Notice of Intent’ (a legal document that precedes a potential fine). The provisional fine amount was set at £4.4 million. Having carefully considered representations from Interserve, no reductions were made to that total.

Cyber security guidance

Protecting a business from a cyber attack can feel technical or intimidating, but most organisations who are ‘doing things wrong’ have made preventable mistakes. To better safeguard people’s data, organisations must regularly monitor for suspicious activity and investigate any initial warnings.

They must also update software and remove outdated or unused platforms, update policies and secure data management systems, provide regular staff training and encourage secure passwords and multi-factor authentication.

In the event of a cyber attack, there’s a regulatory requirement to report this to the ICO as the data regulator. The National Cyber Security Centre – in its role as the technical authority on cyber security – provides support and incident response to mitigate harm and teach broader cyber security lessons.

Earlier in the year, the ICO worked with the National Cyber Security Centre to remind organisations not to pay a ransom in case of a cyber attack as this does not reduce the risk to individuals and is not considered as a reasonable step for safeguarding data.

This week, John Edwards will be attending the 44th Global Privacy Assembly in Turkey, where more than 120 data protection and privacy authorities will meet. At the Assembly, the ICO will present a resolution calling for further international collaboration to increase cyber resilience across the world.

*For more information, access the ICO’s ransomware guidance or visit the National Cyber Security Centre’s website to learn about mitigating a ransomware threat via its business toolkit


Company Info


64 High Street, RH19 3DE
East Grinstead
RH19 3DE

04478 18 574309

Login / Sign up