Interserve fined £4.4m after staff details accessed by hackers

Cyber attackers accessed the bank details, national insurance numbers and special category data including ethnicity, religion, sexual orientation and health conditions of up to 113,000 Interserve workers, an investigation has found.

Interserve Group – the company created after Interserve plc’s pre-pack administration – has been fined £4.4m by the Information Commissioner’s Office (ICO) for a breach of data protection law.

Interserve had previously reported it was hit by a cyber-attack in May 2020.

Now the ICO has revealed that an Interserve employee forwarded a phishing email, which was not quarantined or blocked by the company’s systems, to a colleague who opened it and downloaded its content, resulting in the installation of malware onto their workstation.

Interserve’s anti-virus mechanism quarantined the malware and sent an alert, but the company failed to thoroughly investigate the suspicious activity, a statement from the ICO said.

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

The ICO found Interserve used outdated software systems and protocols; failed to follow up on the original alert of a suspicious activity; had a lack of adequate staff training; and carried out insufficient risk assessments.

The company broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information, the watchdog ruled.

UK information commissioner John Edwards said: “The biggest cyber risk businesses face is not from hackers outside their company, but from complacency within their company.

“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”

Since the incident, most of Interserve Group has been either sold or spun off, with its construction arm Tilbury Douglas becoming a standalone contractor in June, although it remains owned by the same shareholders.

Its RMD Kwikform business, which was subject to a separate cyber-attack later in 2020 but not fined by the ICO, was sold to Altrad in October 2021, while Mitie bought Interserve’s facilities management operation in November 2020.

Despite the changes, Interserve Group Ltd remains a registered company.

The ICO has powers to pursue formal recovery action that can result in insolvency, and to nominate insolvency practitioners whose investigations can result in personal claims against directors.

Leave a comment