The Information Commissioner's Office (ICO) has the authority to levy fines up to £17.5 million or 4% of a company's annual global revenue, whichever is larger for data protection breaches.
The Interserve Group has been fined £4.4 million by the ICO for data protection violations in which hackers were able to access and encrypt personal data of former and current employees over the period of several months using phishing emails. This data included contact details, NI numbers, bank account details and other special category personal data.
Because Interserve's IT security was unable to stop the phishing email then once it was received by one employee and shared with others, any attachments downloaded were corrupted and hackers installed malware to compromise Interserve's anti-virus software and access employee data.
Upon realising the breach, Interserve submitted a personal data breach notification to the ICO on 5 May 2020, who proceeded to investigate matters and identified that during 18 March 2019 and 1 December 2020, Interserve failed to process personal data in a manner that ensured appropriate security of personal data as required by Article 5(1)(f) and Article 32 GDPR.
ICO investigation relieved, amongst other things, that personal data was being processed on unsupported / outdated operating systems which had no security updates to fix known vulnerabilities and that Interserve failed to undertake adequate vulnerability scanning / penetration testing extending to a failure to implement suitable end point protection plus they were too many employees with access privileges.
Also, Interserve had outdated protocols in place with inappropriate training on what action to take when a phishing email was received.
Interserve tried to persuade the ICO that it took extensive steps to resolve the incident, mitigated the potential impact and ensured its infrastructure, systems and processes were fit for purpose going forward but ICO concluded that the contraventions were sufficiently serious enough to justify issuing a penalty and a significant fine.
The decision of ICO sends a clear message to businesses of all sizes that they must monitor suspicious IT activities and have updated robust IT security systems in place together with regular staff training on cyber security as breaching the Data Protection laws could give rise to severe consequences.
The article is for general information purposes only and should not be relied upon as authoritative and is correct as of 4th November 2022. However, should you require any further assistance on the matter, please do not hesitate to call our advice-line team on 01455 852028.
