ICO serves Interserve £4.4m fine after cyberattack
The regulator said Interserve lacked adequate systems, protocols, risk assessments and staff training.
The Information Commissioner's Office (ICO) has handed down a £4.4 million fine to construction group Interserve, after attackers stole personal information on more than 100,000 employees.
That attack - which took place two years ago - began with a phishing email, which an employee accessed after the message made it past Interserve's internal systems. The ICO also found that a subsequent antivirus alert was not properly investigated - and as a result, 283 systems and 16 accounts were compromised, the company's antivirus was uninstalled and all current and former employees' information was encrypted.
That information, belonging to 113,000 individuals, included bank account details, national insurance numbers, ethnic origin, sexual orientation and religion.
The ICO concluded that Interserve relied on outdated software systems and protocols, that staff lacked adequate training, and that the company had 'insufficient' risk assessments.
Information Commissioner John Edwards said, "This data breach had the potential to cause real harm to Interserve's staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
"Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people's most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company."
Edwards also warned that other companies should "expect a similar fine from my office" if they fail to use adequate protections.
The ICO decided on the level of the fine - the fourth-largest it has ever demanded - after investigation of the incident and discussions with Interserve. Edwards said the intent "is to cause directors and chairmen to sit up and start asking questions of chief executives about cyber preparedness."
Earlier this year the ICO issued a £7.5 million fine to Clearview AI, whose practices of offering image collection as a commercial services it deemed "unacceptable," according to Edwards.
"That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice," he noted.