The UK Information Commissioner’s Office has announced a monetary penalty imposed on Interserve Group Limited, the UK-based parent company of a group of construction companies,* for infringements of the General Data Protection Regulation (GDPR).
According to the Monetary Penalty Notice, Interserve failed to process personal data in a manner that ensured appropriate security, rendering the company’s systems vulnerable to the cyberattack that took place between March and May 2020. Interserve was responsible for data protection and information security for the group of companies it controlled.
In May 2020, Interserve reported a data breach to the ICO in which the personal data of approximately 113,000 current and former employees of Interserve was compromised. The data included telephone numbers, email addresses, national insurance numbers, bank account details, birthdate, marital status, country of birth, gender, education and salary, and “special category personal data” within the meaning of Article 9 of the GDPR, such as ethnic origin, disabilities, health information, religion, and sexual orientation. The breach was effected through a phishing email sent to an employee, who forwarded it to another employee who opened a link that installed malware onto his or her computer. Through various avenues the malware penetrated Interserve servers and encrypted the personal data stored there, making it inaccessible to Interserve.
The ICO found that Interserve was processing personal data on unsupported operating systems, contrary to the firm’s own policies and to industry best practices. The ICO found, further, that Interserve had not followed its own technical security infrastructure and network management standard, and had failed to implement appropriate end-point protection by implementing suitable detection, prevention and recovery controls. Interserve also failed to undertake adequate vulnerability scanning and penetration testing as required by industry practices and Interserve’s own standards. The firm also failed to require information security training for all employees, and used outdated internet protocols. Moreover, Interserve’s incident response was inadequate and did not follow the company’s protocol, and too many individuals had administrative permissions within the system. In all these areas, Interserve knew or should have known that it was not properly implementing company and industry policies and standards.
The ICO determined that these failures resulted in infringements of Articles 5(1)(f) and 32 of the GDPR. Article 5 requires data controllers to process personal data in a manner that ensures appropriate security; Article 32 mandates the implementation of appropriate technical and organizational measures, and the restoration of access to personal data in a timely manner.
In assessing a financial penalty, the ICO took into account the gravity and duration of the incident, including the company’s negligent approach to data security, and Interserve’s response to the incident. Whilst the categories of personal data affected were broad, and the number of individuals relatively large, Interserve did self-report the incident in a timely manner to both the ICO and the National Crime Agency, and cooperated fully during the course of the investigation. The ICO viewed earlier data breach incidents as aggravating factors, but took into account as mitigating factors the company’s independent and pro-active investment in remedial measures such as updating its servers, reducing the number of individuals with administrative permissions, implementing new enterprise level endpoint protection, and appointing chief information, information security, and data protection officers.
The ICO also examined the extent to which Interserve’s non-compliance resulted from the coronavirus pandemic. Whereas in normal circumstances the phishing link would have been blocked by Interserve’s internet filtering mechanism, when the relevant employee clicked on the phishing link that downloaded the ransomware, the employee was working at home through a split tunneling arrangement, so that some activities were routed through the employee’s home internet connection. Nevertheless, it was, according to the ICO, the negligent security practices of Interserve that allowed the hackers to access and encrypt the personal data.
Having taken into account both mitigating and aggravating factors, and having applied the five step penalty assessment process set forth in the ICO’s Regulatory Action Policy, the ICO decided to impose a penalty of £4,400,000 as an effective, dissuasive and proportionate penalty.
* Interserve Group Limited succeeded Interserve plc in interest in March 2019.