ICO fines Interserve £4.4 million for failing to protect employee data

What happened

• Interserve Group Ltd, an outsourcing and construction firm, was fined £4.4 million by the Information Commissioner’s Office (ICO) for data protection violations that resulted in a cyberattack. The attack, which occurred in 2020, led to the personal information of 113,000 of its current and past employees being compromised.
• The incident occurred when a phishing email that an employee downloaded was not blocked by Interserve’s system, and a subsequent anti-virus alert was not properly investigated. As a result, the hacker gained access to 283 systems and 16 accounts, and they were also able to deactivate the business’ anti-virus solution.
• Up to 113,000 employees’ personal data spanning 4 HR systems was encrypted and made “unavailable”. In addition to employee bank account information and national insurance number details, the compromised data also included special category data about workers’ ethnic backgrounds, impairments, and their sexual orientation.
• Interserve violated data protection laws as it did not implement the necessary organisational and technological safeguards to prevent unauthorised access to personal data, which is one of the fundamental principles of the UK GDPR.
• In particular, the ICO said that Interserve:
  • failed to follow-up on the original alert of a suspicious activity;
  • used outdated software systems and protocols; and
  • had a lack of adequate staff training and insufficient risk assessments.
• The combination of these factors ultimately created vulnerability to a cyber-attack.
• Interserve was first handed a “notice of intent” by the ICO, with a preliminary fine sum of £4.4 million. The ultimate fine amount remained unchanged after considering representations from Interserve.

Why it matters

• In relation to the fine, John Edwards, the UK Information Commissioner said:
• “This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”
• “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office”.
• Edwards said that the most frequent kind of cyber-attack the ICO dealt with was ransomware, in which hackers demand payment in exchange for returning the compromised data back to the company.
• He warned that paying a ransom was not deemed a legitimate way to secure data, and that it would not lower the severity of a fine or be considered as a mitigating factor.
• This fine reiterates both the stance that the ICO is taking towards inadequate cybersecurity practices as well as the importance of businesses taking a proactive approach to cybersecurity training and maintaining their security systems and procedures to ensure that they are prepared for a cyber-attack when, and not if, it occurs.
• Some recommended practical steps to prevent cybersecurity breaches occurring within your organisation:
  • Ensure a comprehensive cybersecurity training programme is in place for employees at all levels of the business, including annual refreshers. Training should include phishing awareness, to guide staff to identify and respond to phishing attacks appropriately.
  • Take an active approach to cyber-security awareness and make sure it is ongoing e.g. using phishing simulations as part of a security awareness programme in order to gauge staff awareness and reactions toward cyber-attacks, using the data collected from such tests to enhance and improve the existing training programme where necessary;
  • Ensure IT infrastructure and operating systems are tested and updated regularly, ensuring that any vulnerabilities are identified and corrected before an attack hits; and
  • Consider investigating in phishing protection software to detect and prevent attacks and keep the network safe.

What happened

• According to a report from Tech Monitor, an official from the Department for Culture, Media, and Sport (DCMS) has announced that a fresh consultation will be opened into the Data Protection and Digital Information Bill, which is foreseen to replace the UK GDPR, causing more delays for the UK’s new post-Brexit data protection regime.
• According to Owen Rowland, Deputy Director for Data Policy at the DCMS, the adequacy agreement with the EU, which allows the free flow of data between the UK and Europe, will be “at the heart” of the finalised bill.
• Businesses may be somewhat reassured to hear this announcement, considering the DCMS secretary Michelle Donelan recently suggested that more drastic measures would be coming, which could jeopardise the UK’s adequacy agreement with the EU (Xcina Consulting previously wrote about this here).
• Rowland confirmed that the new Data Protection and Digital Information Bill public consultation would be launched “in the coming weeks”.
• He went on to say that ministers “need space to work with all groups to check we go as far as we can to enable growth and innovation while protecting high standards and maintaining our parallel policy objective of looking after EU adequacy and doing so as quickly as possible”.

Why it matters

• The Data Protection and Digital Information Bill was introduced by the DCMS in July as part of an attempt to update and simplify the UK’s data protection regime and take advantage of the country’s departure from the EU.
• Although at the time it looked as though the contents of the Bill had been finalised, work to progress it through parliament has been on hold since September, to give ministers more time to consider the legislation further.
• The more the UK deviates from GDPR, the more likely it is that its adequacy agreement with the EU, which ensures that third-party countries wishing to exchange data have a similar degree of data protection to EU GDPR, might be in jeopardy.
• As Xcina Consulting has previously reported, fresh public consultation on further reforms is likely to come with some challenges, especially in light of the opinions expressed during the DCMS’s prior public consultation on data protection reform, in which the majority of respondents opposed more radical proposals.
• Equally, given the fact that consultation periods can be lengthy, there is no guarantee that new legislation will be passed before the next general election is scheduled, within the next two years. 
• Xcina Consulting will continue to closely monitor the situation and provide updates as they occur.  Join our panel of experts on 1 December to discuss the proposed reforms and other topical Data Protection issues.  

What happened

• In response to a significant rise in supply chain related cyber-attacks in recent years, the National Cyber Security Centre (NCSC) has published new guidance designed to help medium and large organisations to assess the cyber security risks in their supply chain.
• The guidance sets out a practical approach that can be applied ‘from scratch’ or used to build upon any existing risk management techniques and approaches that may already be place within organisations.
• It outlines a five-stage approach to evaluating and managing supply chain risk, which is summarised below:

Stage 1: Before commencement

Learn more about the risks to your company’s supply chain, according to the relationships with suppliers and the access they have to company systems and data. Establish a new strategy for evaluating supply chain security, identifying the key stakeholders in your organisation, as well as gaining senior management support for any necessary adjustments. Learn how your organisation presently assesses risk, since this information will be important for determining the risk to your cyber supply chain going forward.

Stage 2: Develop an approach to assess supply chain cyber security

Establish which organisational aspects and assets are most important to protect, as well as the assurances you require from vendors to do so. Additionally, a consistent and repeatable process for evaluating the cyber security of your suppliers is required. This should, for instance, involve formulating standard contractual terms pertaining to cyber security to be inserted into supplier contracts, using set questions to determine the security profile of each supplier.

Stage 3: Apply the new approach to all new supplier relationships

From the choice to outsource, through to supplier selection, contract award, supplier delivery, and contract termination, consider cyber security at every stage. Ensure that processes are introduced to make sure this happens consistently for every acquisition Additionally, be sure that the staff members who are evaluating vendors have received adequate cyber security training.

Stage 4: Integrate the new approach into existing contracts

Establish a plan to assist your current suppliers in enhancing their security when necessary and identify and ranking them in priority order, according to the level of risk. Reviewing and, if appropriate, strengthening their current contractual cyber-security provisions should also be part of this process.

Stage 5: Continuous improvement is key

Organisational supply chains and the cyber risk landscape are both constantly changing. As a result, keep up to date with any changes in the threat environment, work with suppliers, and adjust your strategy as new threats materialise and circumstances change.

Why it matters

• While most organisations have some form of data protection framework in place to manage the processing of personal data on their own systems, many businesses are still relatively unaware of their data protection obligations in supply chains.
• UK GDPR requires controllers to undertake due diligence on third parties they appoint as processors or share personal data with. This means that organisations should use only suppliers that can demonstrate their internal compliance, document the security of their IT systems and implement appropriate technical and organisational measures, as required by the GDPR, to protect data subjects’ rights.
• Managing risks and building cyber resilience in the supply chain has become increasingly important, as organisations in every industry increasingly rely on a growing network of third parties for the delivery of products and services.
• Key suppliers will likely include cloud services, software and platforms as a service, payment providers, shared service centres, and data centres, to name a few.
• It’s also important to remember that even the exchange of employee contact details between contracting parties falls within the scope of GDPR, as work email addresses or telephone numbers for specific business contacts will constitute personal data. Therefore, it is not only the personal data of customers that requires protection, but also that of employees and other named individuals.
• The requirement to carry out comprehensive due diligence checks both during the procurement stage, as well as on-going checks to ensure that contractual obligations are being met by suppliers, can be a complex and time-consuming exercise.
• Xcina Consulting assists firms with implementing appropriate and effective approaches to third-party risk management and assurance that focus on the key third-party risks and provide a robust framework for assessing compliance with defined expectations.
• Xcina brings together procurement expertise, technical compliance knowledge, IT and risk management specialists, supply chain continuity and relationship management experts, to provide an end-to-end third-party management service.

To find out more about Xcina’s Third Party Management and Assurance Service, click here.