02 November 2022

The UK’s Information Commissioner’s Office (ICO) has fined UK construction company Interserve £4.4 million following a sizable data breach.

Bad actors utilised phishing to gain access to personal data from 113,000 of Interserve’s employees in 2020. National insurance numbers, bank account details, religion, ethnic origin, and sexual orientation comprised some of the data.

Interserve reportedly utilised outdated systems and protocols, neglected staff training, and had inadequate risk assessments. Its system failed to protect against the email phishing, leading to the compromise of 283 systems and 16 accounts; the company’s antivirus system was uninstalled during the attack, and all employee information was encrypted.

“This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud,” said John Edwards, the UK information commissioner. “Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.”

The commissioner warned that companies that fail to monitor for suspicious activity, update their software, or provide proper training to staff will also be fined.

“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” warned Edwards.

ICO can impose fines of up to £17.5 million or 4% of global annual turnover but can reduce fines in case of mitigating arguments. In this case, ICO opted not to reduce the fine.

“The intention is to cause directors and chairmen to sit up and start asking questions of chief executives about cyber preparedness,” explained Edwards.

Interserve has faced financial difficulties since 2017 and has undergone multiple financial restructurings before entering administration. In 2021, it resurrected the Tilbury Douglas brand for its construction and engineering businesses and separated from Interserve plc in June 2022. Interserve is expected to fully close in 2024. The years of financial challenges may point to why the company failed to invest in new systems and protect employee data.

Commenting on the events surrounding the attack, Chris Vaughan, VP technical account management - EMEA & South Asia, Tanium, highlighted a worrying narrative.

“This incident follows a trend that I see when working with organisations to bolster their cybersecurity standards: too many still focus too much on reactive measures rather than preventative ones,” said Vaughan. “A narrative has emerged across many IT teams that attacks are becoming too sophisticated to be stopped, and that therefore their efforts should be focused on reacting to security incidents rather than preventing them. However, I would encourage them to focus more on preventative measures which can either minimise the impact of breaches or avoid them altogether.”

Sridhar Iyengar, MD for Zoho Europe, also commented: “businesses must have a clear understanding of how the third-party services they employ or partner with might be harvesting, selling or using their staff or customer data. This is a common tactic with many third-party tracker services for search engines, e-commerce sites and social platforms, and many businesses might not even be aware their data is being surveilled.