Contents:
Construction group Interserve was fined by the UK’s Information Commissioner’s Office (ICO) after a cyberattack that happened in Mai 2020.
The value of the fine is £4,4 million ($4,9 million) and the organization is accused of failing to put in place appropriate cybersecurity measures.
Details about the Attack
The attack that led to exposing the personal information of 113,000 employees started with a phishing email received by one of the company’s employees and forwarded to a colleague.
This email deployed malware on one of Interserve’s devices and allowed the cybercriminal to infect 283 systems and 16 accounts, uninstall the antivirus, and encrypt staff-related data.
The exposed personal data includes:
- contact details
- national insurance numbers
- bank account details
- ethnic origin
- religion
- details of any disabilities
- sexual orientation
- health information
The Legal Consequences
The malicious email was not blocked or quarantined by the organization’s cybersecurity system, and even after the malware was detected by the antivirus solution that was in place, nobody investigated the problem deeper.
That is why ICO charges the Berkshire-based construction company with not implementing adequate safeguards for its employees’ data.
“The ICO determined that Interserve had violated data protection law by lacking proper employee training, failing to put technical safeguards in place, and using outdated software systems and protocols”, according to Cybernews.
This fine is the fourth biggest fine imposed by ICO and it is meant as an impulse to businesses to think about their level of cyber preparedness. Even though Interserve tries to reduce it based on mitigating circumstances.
The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.
John Edwards, UK Information Commissioner, via Cybernews
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.