Information Commissioner finds firm鈥檚 security measures lacking
The Information Commissioner (ICO) has hit Interserve with a 拢4.4m fine after weak security measures allowed hackers to steal the personal data of up to 113,000 current and former employees.
Cybercriminals struck in May 2020, using a phishing email to gain access to employee information at the firm, which is a Ministry of Defence contractor and had recently been involved in the construction of the NHS Nightingale Hospital in Birmingham.
According to the ICO, the company, which employed roughly 53,500 people at the time of the attack, broke data protection law by failing to put in place appropriate technical and organisational measures in place to prevent unauthorised action of private data.
A similar attempt had been made on Bam Construct, another Nightingale firm, the week prior, but unlike Interserve the company鈥檚 day-to-day operations were largely unaffected.
>> Interserve and Bam latest firms to suffer cyber attacks
Interserve data accessed by the hackers included contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
John Edwards, the UK鈥檚 information commissioner, said the biggest cyber risk for businesses was 鈥渃omplacency within their company鈥, though the company has strongly denied wrongdoing.
The ICO鈥檚 investigation found Interserve had failed to follow up on an alert of suspicious activity from its anti-virus software, which had flagged that malware had been installed onto an employee鈥檚 workstation after the staff member opened and downloaded the content of a forwarded phishing email.
The attacker subsequently compromised 283 systems and 16 accounts as well as uninstalling the company鈥檚 anti-virus solution. Personal data for up to 113,000 current and former employees was encrypted and rendered unavailable.
Edwards said: 鈥淟eaving the door open to cyber attackers is never acceptable, especially when dealing with people鈥檚 most sensitive information.
鈥淭his data breach had the potential to cause real harm to Interserve鈥檚 staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
>> It鈥檚 not a case of if, but when 鈥 firms face growing cyber attack threat
The investigation also found that Interserve was using outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments.
鈥淚f your business doesn鈥檛 regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn鈥檛 update software and fails to provide training to staff, you can expect a similar fine from my office,鈥 said Edwards.
In a statement, the Interserve Group disputed that its response was 鈥渋n any way complacent鈥.
鈥淎s the ICO recognises in its [monetary penalty notice], Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff,鈥 it said.
Another attempt was made to hack Interserve in December 2020, with the firm鈥檚 equipment services arm RMD Kwikform 鈥 since sold to French construction equipment giant Altrad 鈥 this time targeted. This second attack reportedly had 鈥渧ery limited impact鈥 on either RMD or its parent.
No comments yet