Gone phishing: UK data watchdog fines construction biz £4.4m for poor infosec hygiene
Staff member bit on lure, ultimately exposed up to 113,000 colleagues' personal information
Britain's data watchdog has slapped construction business Interserve Group with a potential £4.4 million ($4.98M) fine after a successful phishing attack by criminals exposed the personal data of up to 113,000 employees.
The Information Commissioner's Office said the Berkshire-based company failed to exercise good security hygiene, missing alerts and more, and so was deemed to have broken data protection laws.
In a classic sting, one member of Interserve's workforce forwarded the email containing the hidden nasty to a colleague, who then opened it and downloaded the content, allowing the malware to do its work.
The anti-virus in use quarantined the malware and dispatched an alert, but Interserve "failed to thoroughly investigate the suspicious activity," and doing so might have revealed the bad actor had obtained access to company systems.
- Millennials, Gen Z actually suck at workplace security
- Phishing works so well crims won't bother with deepfakes, says Sophos chap
- Ex-T-Mobile US store owner phished staff, raked in $25m from unlocking phones
- Voicemail phishing emails steal Microsoft credentials
The criminal then compromised 283 systems and 16 accounts, and uninstalled the AV software. "Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable," the ICO said in a statement.
A subsequent probe by the data regulator found a litany of errors made by Interserve – including not responding to the initial alert of suspicious activity, using outdated software systems and protocols, a lack of suitable training for staff and insufficient risk assessments. These, the ICO claims, ultimately left the business vulnerable to cyber baddies.
The offending period was between March 2019 and December 2020.
The ICO has served Interserve with a notice of intent – a legal document that comes before a fine. The provisional fine was £4.4 million and after considering representations from Interserve, the ICO decided not to discount it.
John Edwards, UK Information Commissioner, said in a statement:
"The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect similar fine from my office.
"Leaving the door open to cyber attackers is never acceptable, especially when dealing with people's most sensitive information. This data breach had the potential to cause real harm to Interserve's staff, as it left them vulnerable to the possibility of identity theft and financial fraud."
Edwards said he is meeting fellow data regulators around the world this week to "work towards consistent international cyber guidance so that people's data is protected wherever a company is based". ®