Inadequate security of personal data leads to £4,400,000 fine

The British construction company Interserve Group Limited received an administrative fine of £4,400,000 from the Information Commissioner’s Office (ICO). Interserve failed to comply with Article 5 (1) (f) and Article 32 of the General Data Protection Regulation as retained under the law of England and Wales after Brexit (UK GDPR), as it failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

Background of the fine

Between 18 March 2019 and 1 December 2020 Interserve failed to have appropriate technical and organisational measures in place, which left it vulnerable to a cyber-attack which took place between March and May 2020. The cyber-attack affected the personal data of up to 113,000 employees of Interserve.

The cyber-attack began with a phishing email with an attachment which an employee opened and downloaded on the 1 April 2020. This executed the installation of malware onto the employee’s workstation and gave the cyber-attackers access to the system.

Whilst actions were taken by Interserve’s System Centre Endpoint Protection tool to remove some of the malware files, this was not completely successful, despite the reported success of the automatic removal of malware files. The attacker retained access to the employee’s workstation and Interserve failed to verify all the malware files were truly removed. The attacker began to spread through the system, most significantly it compromised Interserve’s servers, including four HR servers which together contained personal data relating to up to 113,000 individuals including special category data. The personal data on those systems was encrypted and rendered unavailable to Interserve by the attacker.

Interserve notified the ICO of the personal data breach on 5 May 2020, after having discovered the breach on 2 May 2020.

ICO fines explained

Our data protection experts regularly analyse fines and other sanctions imposed by the Information Commissioner’s Office (ICO).

Legal classification of the data protection law breaches

The principle of ‘integrity and confidentiality’

The UK GDPR requires that controllers, such as Interserve, process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. This is the data protection principle known as ‘integrity and confidentiality’. The ICO judged Interserve to have failed to fulfil this principle on the following points:

  • It did not process personal data only on supported operating systems. Interserve was using outdated systems, no longer the subject of security updates to fix known vulnerabilities in the system which could be exploited by malicious actors.
  • It did not implement appropriate end-point protection.
  • It did not conduct regular penetration testing.
  • It did not ensure that all employees received effective and appropriate data protection and security training prior to obtaining access to the IT system.
  • It did not update its protocols, failing to update protocol SMB 1.
  • Its Information Security Team did not investigate the initial breach.
  • It failed to ensure that the minimum number of users were given domain privileges only where strictly necessary in the circumstances.

Interserve was judged to “ought reasonably to have been aware of the risks posed” by these failures and yet failed to take action.

A failure to comply with the principle of integrity and confidentiality will always be judged on a case-by-case basis and the specific circumstances taken into account. However, clearly outdated systems, protections and protocols can be said to certainly be a failure to comply with the duties imposed by the UK GDPR, unless there are very good justifications in place for keeping them. Though this requires a conscious examination of reasons the outdated systems are to remain, merely keeping them as an oversight or due to negligence is not sufficient and led Interserve to fined.

Security of processing

Art. 32 UK GDPR requires that the controller implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

By virtue of the use of outdated operating systems, outdated protocols, ineffective endpoint security and the failure to ensure all employees had undertaken proper training the ICO judged Interserve to have failed to implement appropriate technical and organisational measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services contrary to Article 32 (1) (b) UK GDPR.  Breach of the data protection principle of integrity and confidentiality will therefore give rise to a breach of Art. 32 UK GDPR as well.

Furthermore, Interserve failed to ensure that personal data was available and accessible in a timely manner in the event of a physical or technical incident. Months passed before all personal data was available and accessible again after the data breach.

Factors for determining the penalty

The fine imposed upon Interserve was due to the ICO taking the following factors into account:

  • Nature of the infringement:
    • The cyber-attack afflicted 113,000 employees including special category data. Further, for a period of up to three months data subjects were unable to obtain timely access to all of their personal data.
    • The ICO saw no evidence of appropriate oversight by Interserve´s management.
    • The ICO saw no evidence of regular review of security systems.
    • Interserve did not have an information security programme consistent with the requirements of the UK GDPR.
  • Gravity of the infringement:
    • The volume of personal data affected and the nature of personal data affected required robust security measures to be put in place with appropriate controls and oversight.
    • The lack of robust security measures caused the data breach.
    • The ICO did not allow financial arguments to explain the lack of robust security measures, judging that many of the required security measures would not have been expensive to implement, the expense would have been justified given the nature and volume of data, industry standards require adequate resources to be made available and appropriate risk assessments were not conducted.
  • Duration of the infringement:
    • Failure to implement appropriate security measures was ongoing.
    • Failure to conduct risk assessments and penetration tests was ongoing.
  • Number of data subjects affected:
    • While the ICO determined there to have been no actual harm caused to the affected data subjects, the mere possibility was sufficient for the fine. The lack of availability and access to their personal data also significantly affected data subjects.
  • The negligent character of the infringement:
    • Interserve was judged to have been aware of and should reasonably have been aware at all material times of the required standards and failed to keep them.

The ICO also took into account the following:

  • Interserve´s notification to the data subjects, which it was strictly speaking not required to do.
  • Its engagement of external advisors.
  • Its notification to authorities.
  • Its engagement of third party monitoring of dark web activity to identify any evidence of personal data from Interserve.
  • Its significant financial investments to increase its security.
  • Its full cooperation with the ICO´s investigations.
  • Interserve´s history of data breaches and timely report of this one.

As an aggravating factor the ICO examined Interserve´s history of data breaches and its previous failure to review the ICO´s UK GDPR security guidance and provide employee training in respect of managing phishing attacks, as requested by the ICO after two previous data breaches were reported. As mitigating factors the ICO took into account Interserve´s independent and pro-active addressing of areas of non-compliance, and the extent to which the breach occurred due to the COVID-19 pandemic, as the phishing email was opened while the respective employee was working from home.

Taking each of the above factors into account the ICO judged the fine to be “effective, dissuasive and proportionate given the failings identified, the current status of the company and steps taken to improve measures which mitigate the future risk to data subjects”.

Conclusion

The fine imposed upon Interserve serves as a reminder that a company with a working data protection management system and information security management system can effectively

  1. prevent data breaches and security incidents,
  2. mitigate these if they do occur,
  3. muster the appropriate response quickly,
  4. provide evidence of compliance to reduce any penalties which may be imposed and finally
  5. effectively cooperate with the authorities should they have to be involved.

Interserve failed on several of these fronts, and its negligence cost the company dearly.

If you are uncertain about your processes, security measures or whether these are appropriate to the risk of the personal data being processed, please contact our experts. We will be happy to advise you!