British company Interserve fined £4.4 million over ransomware attack

A British construction company has been fined £4.4 million (about $5 million) by the U.K.’s data protection regulator after a ransomware group accessed sensitive data on 113,000 employees.

Interserve Group “failed to put appropriate security measures in place to prevent the cyberattack” which began with a phishing email, the Information Commissioner’s Office (ICO) stated on Monday.

It is the second fine which the regulator has issued this year regarding an organization falling short of its data protection duties in connection with a ransomware attack, after a law firm was fined £98,000 when hackers accessed 24,000 court bundles containing medical files and witness statements.

We have seen a steady increase in the number of personal data breaches caused by ransomware. This is a type of malicious software designed to block access to computer systems using encryption.

Read our guide to stay protected: https://t.co/h2NvUIymos pic.twitter.com/un3YgZgW18

— ICO - Information Commissioner's Office (@ICOnews) June 28, 2022

In the case of Interserve, which went into administration in 2019 and is unlikely to ultimately pay the fine, the attackers were able to compromise employees’ “contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information,” according to the ICO.

The breach occurred when an employee forwarded the phishing email — which was not blocked or quarantined by Interserve’s systems — to another employee who opened it and downloaded its content, which contained malware.

Although the company had an anti-virus solution that quarantined the malware and sent an alert, Interserve “failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems,” the ICO said.

The hackers then compromised 283 systems and 16 accounts at Interserve and uninstalled the anti-virus as well before encrypting the personal data of “up to 113,000 current and former employees.”

John Edwards, the Information Commissioner, said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.”

He described Interserve’s activities as “leaving the door open to cyber attackers” and warned the breach had the potential to leave the company’s staff “vulnerable to the possibility of identity theft and financial fraud.”

The ICO’s investigation found that Interserve “failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber attack.”

The company was deemed to have broken data protection law by failing to put appropriate technical and organizational measures in place to prevent the unauthorized access of people’s information. Interserve had appealed against the fine to the ICO, but no reductions were made to the final fine.