UK Construction Company Fined £4.4m for Serious Security Failings

Written by

A British construction company has been fined over £4m ($4.5m) by the data protection regulator after a series of security failings allowed a hacker to steal and encrypt the personal information of 113,000 current and former employees.

The Information Commissioner’s Office (ICO) has the power to fine organizations up to £17.5m ($20m) or 4% of total global annual turnover, whichever is higher, under the GDPR and the UK Data Protection Act 2018.

It claimed that Berkshire-based Interserve Group had failed to put appropriate security measures in place to guard against a ransomware attack. This led to the theft of a large range of sensitive employee information including contact details, national insurance numbers, bank account details, as well as details of any disabilities, sexual orientation, ethnic origin, religion and health information.

It explained that a phishing email was opened by an employee after being forwarded by a colleague. The worker unwittingly downloaded malware to their machine which was flagged for attention by the company’s antivirus (AV) software.

However, the follow-up investigation was not thorough enough, enabling the threat actor to access 283 systems and 16 accounts, and to uninstall the company’s AV solution, the ICO said.

The data was encrypted and stolen, although there’s no information on whether Interserve paid its extorters.

According to the regulator, Interserve:

  • Failed to follow-up on the original suspicious activity alert
  • Used outdated software systems and protocols
  • Had a lack of adequate staff training
  • Ran insufficient risk assessments

The £4.4m sum is the final fine amount, with the ICO not changing its initial “notice of intent” figure following representations from Interserve.

The ICO urged all companies to learn from this case to avoid serious compromise. To better safeguard people’s data, it said organizations should:

  • Regularly monitor for suspicious activity and investigate any initial warnings
  • Update software and remove outdated or unused platforms
  • Update policies and secure data management systems
  • Provide regular staff training
  • Encourage the use of secure passwords and multi-factor authentication

What’s hot on Infosecurity Magazine?