Construction group Interserve fined $4,9m for failing to prevent cyberattack

The UK’s Information Commissioner’s Office (ICO) fined the Berkshire-based construction group Interserve £4,4 million ($4,9 million) following a cyberattack that exposed the personal information of up to 113,000 employees through a phishing email.

The initial attack occurred in May 2020, when an employee forwarded a phishing email to a colleague, who then downloaded it and unwillingly installed malware on the company’s workstation.

Interserve is now accused of failing to put appropriate defenses in place to safeguard its employees’ data. The email was neither blocked nor quarantined by the company’s system, and even when the malware got caught by the built-in antivirus, Interserve did not investigate the matter further.

As a result, the cybercriminal compromised 283 systems and 16 accounts, uninstalled the company’s antivirus solution, and encrypted the information of up to 113,000 employees.

According to ICO, the compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

The ICO determined that Interserve had violated data protection law by lacking proper employee training, failing to put technical safeguards in place, and using outdated software systems and protocols.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud,” John Edwards, UK Information Commissioner, said.

The fine marks the fourth biggest imposed by the British watchdog, with the ICO refusing to reduce it based on mitigating circumstances. According to Edwards, the fine is meant to serve as an impetus for directors and chairmen to challenge chief executives about their level of cyber preparedness.

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office,” Edwards elaborated.