The ICO recently imposed a £4.4 million fine having found that Interserve failed to implement appropriate technical and organisational measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
The Information Commissioner’s Officer (ICO), the UK’s data protection regulator, has recently fined Interserve Group Limited (Interserve) £4.4 million for breaching Article 5(1)(f) and Article 32 of the General Data Protection Regulation (GDPR) during the period 18 March 2019 to 1 December 2020.
The ICO started an investigation after Interserve reported a personal data breach to it. The ICO investigation concentrated on whether Interserve had the appropriate security of personal data under Article 5(1)(f) and Article 32.
Article 5(1)(f) states that personal data shall be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Article 32 covers the security of processing personal data and states that to ensure the security of processing, you should take:
“into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
The breach of personal data related to a phishing email, which had been sent to the Interserve accounts team mailbox as an urgent document review. This email was forwarded internally and the next day the ZIP file was downloaded and opened, which resulted in the malware being installed on the workstation and allowed the cyber attacker to initially access that workstation.
As the employee who downloaded the malware was working from home, they had access to the Interserve systems via a split tunnel method, which meant that it did not go through Interserve’s system which would have restricted access to malicious sites. Whilst some malware files had been successfully removed, the attacker retained access to the workstation but no further action was taken by Interserve.
A few days later, the attacker compromised a server and a month later a further attack compromised 283 systems and 16 accounts, 12 of which were considered privileged, across four domains. The attacker executed a script that uninstalled Interserve’s Anti-Virus solution and compromised a number of other servers, including the HR systems which held up to 113,000 individuals’ personal data, including special category data. The attacker also encrypted and rendered the data unavailable to Interserve.
Interserve discovered the breach after the last attack and started an investigation. Interserve also engaged external services to support it in investigating the breach and notified the National Crime Agency and the ICO.
In its investigation, the ICO found that Interserve had breached both Article 5 and Article 32 as Interserve did not have a set of technical and organisational measures “which, viewed holistically, ensure a level of security appropriate to the known risks, taking into account the state of the art, costs of implementation and the nature, scope context and purpose of the processing it performs.” Further, Interserve was found to have failed to implement measures that would restore the availability and access to the personal data.
The ICO findings were that whilst Interserve had existing policies established in 2016, those polices had not been updated and no formal risk assessments had been undertaken to feed into Interserve’s privacy programme. The ICO also found that Interserve was processing personal data on unsupported operating systems, contrary to existing policies, and that it ought to have been reasonably aware of the risks as senior management were aware of historic and legacy issues as the risks had been previously highlighted. The ICO found that Interserve had not enabled host-based firewalls and had failed to undertake adequate vulnerability scanning and penetration tests and was using outdated protocols.
In coming to its decision, the ICO highlighted the importance of training employees and being able to evidence that training, indicating that Interserve “ought reasonably been aware of the risks posed by failing to implement effective and appropriate security training for all employees prior to obtaining access to the IT systems.”
Of note within the ICO’s findings was that it was not concerned with Interserve financial constraints at the time of the incident, and whilst Interserve, after the breach, made a substantial financial investment into its data privacy regime, including the training of employees, the ICO commented that this financial investment should have been made earlier.
A fine of £4.4 million is a substantial fine and the ICO decision reinforces the need for not only appropriate security measures, but also the ongoing review of the risks to the business that are then addressed and fed into the security and privacy frameworks including the employee training programmes.
If you or your organisation have any queries on how to establish a compliant data privacy culture or would like to discuss bespoke training to tie into your existing frameworks, please contact Eleanore Beard in the our Data Protection team.
