The ICO exists to empower you through information.

Descriptive transcript of this video

Overview: The video is an animation, with text appearing on screen along with relevant icons and graphics. A voiceover narrates the text and music plays in the background throughout.

"The ICO fined Interserve £4.4m for failing to keep people's data safe. What happened?"

"What happened?" appears in a graphic in the style of a computer dialogue box.

A graphic of a person using a laptop appears, along with an icon of an envelope with a paper clip attached.

"An Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve's system, to another employee."

A graphic of a person using a desktop computer appears, along with another icon of an envelope with a paper clip attached. The envelope turns into a down-facing arrow, and a download bar appears underneath.

"The other employee opened it and downloaded its content."

A warning sign appears.

"Malware was then installed onto their workstation."

The warning sign remains on screen, along with graphics representing computer servers and a computer user account. The graphics are connected by a horizontal dotted line.

"The hacker compromised 283 systems and 16 accounts."

The number 133,000 appears in digits, surrounded by simple icons representing people.

"133,000 staff were affected."

Graphics representing a contact card, a house and a payment card and currency appear.

"The compromised data included contact details, National Insurance numbers and bank account details..."

Graphics representing an intertwined male and female sex symbol, a clipboard with a medical symbol, a person in a wheelchair, and a flag with a heart appear.

" well as special category data including ethnic origin, religion, disabilities, sexual orientation and health information."

An open padlock appears, in front of two lines of computer code.

"The hacker then encrypted and rendered the personal data unavailable."

The padlock closes.

Graphics representing an alarm, a computer dialogue box with a cross mark, and a person speaking appear.

"The ICO investigation found that Interserve failed to act on warnings of suspicious activity, used outdated systems and protocols, and lacked adequate staff training."

Text appears, with no graphics.

"Interserve failed to put appropriate technical and organisational measures in place to prevent the unauthorised access of people's information.

"This is a breach of a data protection law."

The ICO logo appears.

The UK Information Commissioner has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff.

The warning comes as the Information Commissioner’s Office (ICO) issued a fine of £4,400,000 to Interserve Group Ltd, a Berkshire based construction company, for failing to keep personal information of its staff secure. This is a breach of data protection law.

The ICO found that the company failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

John Edwards, UK Information Commissioner, said:

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency. The ICO and NCSC already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”

John Edwards will be attending the 44th Global Privacy Assembly (GPA) in Turkey this week, where more than 120 data protection and privacy authorities will meet. At the GPA, the ICO will present a resolution calling for further international collaboration to increase cyber resilience across the world.

Details of the Interserve data breach

An Interserve employee forwarded a phishing email, which was not quarantined or blocked by the Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee's workstation.

The company’s anti-virus quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems.

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber attack.

Interserve broke data protection law by failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information.

The ICO issued Interserve with a ‘notice of intent’ - a legal document that precedes a potential fine. The provisional fine amount was set at £4.4million. Having carefully considered representations from Interserve, no reductions were made to the final fine amount.

Cyber security guidance for organisations

Protecting a business from a cyber attack can feel technical or intimidating. But most organisations we see getting it wrong have made preventable mistakes.

To better safeguard people’s data, organisations must regularly monitor for suspicious activity and investigate any initial warnings; update software and remove outdated or unused platforms; update policies and secure data management systems; provide regular staff training; and, encourage secure passwords and multi-factor authentication.

In the event of a cyber attack, there is a regulatory requirement to report this to the ICO as the data regulator. Whereas National Cyber Security Centre (NCSC) – as the technical authority on cyber security – provides support and incident response to mitigate harm and learn broader cyber security lessons.

Earlier in the year, the ICO worked with NCSC to remind organisations not to pay a ransom in case of a cyber attack, as it does not reduce the risk to individuals and is not considered as a reasonable step to safeguard data. For more information, take a look at the ICO ransomware guidance or visit the NCSC website to learn about mitigating a ransomware threat via their business toolkit.

Notes to editors

  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
  3. The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
  4. The ICO has the power to impose a civil monetary penalty (CMP) on a data controller of up to up to £17.5 million, or 4% of total global annual turnover, whichever is higher.
  5. This penalty was issued under the DPA2018 for infringements of the GDPR.
  6. Any monetary penalty is paid into the Consolidated Fund, which is the Government’s general bank account at the Bank of England, and is not kept by the ICO.
  7. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to