“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.”
The UK Information Commissioner has issued this warning following the ICO’s recent £4.4 million fine imposed on a construction company’s breach of UK data protection law.
Data breach
Interserve Group Ltd, a construction company based in England, was hit with a £4.4 million fine due to its failure to safely store its employees’ personal information. This was a major breach of data protection law.
The ICO investigation highlighted that Interserve had failed to implement appropriate security measures to prevent a cyber attack. Hackers had targeted the company, accessing employees’ data through a phishing email compromising 283 systems and 16 accounts, affecting 130,000 staff. Personal information such as contact details, national insurance numbers and bank account details were exposed. Furthermore, special category data such as ethnic origin, religion, details of disabilities, sexual orientation and health information were also compromised. The hackers encrypted and rendered the personal data unavailable.
Following the ICO’s investigation, it was established that Interserve had been complacent. It was held that the company did not act on warnings of suspicious activity, Interserve also used redundant systems and protocols, and failed to provide its staff with necessary training. On this basis, Interserve was found to have breached data protection law. Their fine of £4.4 million serves as another reminder of the importance of implementing appropriate security measures to guard against cyber threats.
Lessons and safeguards
The UK’s Information Commissioner, John Edwards, stated: “If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
In order to reduce the threats presented by a cyber attack and to ensure that personal data are adequately safeguarded, the ICO firmly expects that organisations regularly screen for any suspicious activity and conduct thorough investigations into any warnings. In line with this, it is crucial that software systems are updated, as well as policies and secure data management systems. Organisations are also recommended to provide regular internal staff training and to encourage the use of secure passwords and multi-factor authentication. Doing so mitigates the risk of being targeted by hackers and ultimately reduces an organisation’s chance of breaching the law and facing enforcement action, including fines.
If a business is subjected to a cyber attack, it may have to report to the ICO, the UK data regulator, as well as affected individuals. The National Cyber Security Centre (NCSC) is the technical authority on cyber security in the UK and it provides useful information on how organisations should respond to cyber attacks. See the NCSC’s toolkit here.
Earlier this year, the ICO and the NCSC produced ransomware guidance for organisations earlier this year. In doing so, organisations have been advised not to pay a ransom on the basis that it does not reduce the risk to individuals and the ICO does not regard it as a reasonable step to safeguard personal data.
This article was co-written by Katie Morrison, Trainee Solicitor.
How can we help?
Should you require any assistance with a data breach, please do not hesitate to contact our Data Protection and Cyber Security Team.
We can assist you in understanding whether you have had a personal data breach, or if it is instead a non-compliance issue. Our dedicated Data Breach Response Team can be contacted on 0300 303 1019.