ICO Fines Organisation £4.4 Million Following Phishing Email Attack

Interserve Group Limited, a British construction company, was fined £4.4 million by the UK Information Commissioner’s Office (ICO) following a successful phishing email attack, which affected the personal data of around 113,000 employees.

What happened?

A phishing email was sent by a malicious actor to Interserve’s account team’s mailbox which was designed to appear as though the document required urgent review. The phishing email was opened, which executed the installation of malware and gave the attacker access to the workstation. At the time, the employee who opened the phishing email was working from home and had access to Interserve’s systems via a split tunnelling method. As a result of the split tunnelling method, the email did not go through Interserve’s filtering system, which was designed to help identify malicious emails.

Upon discovery of the incident, Interserve took immediate action which reported that the automatic removal of malware files had been successful. However, the attacker did in fact retain access to the employee’s workstation. As a result, the attacker was able to compromise 283 systems and 16 accounts, affecting the personal data of 113,000 current and former employees.

The compromised databases contained a vast amount of personal information, including contact details (telephone numbers and email addresses), National Insurance numbers, bank account details, marital status, birth date, education, country of birth, gender, number of dependants, emergency contact information, and salary, as well as special category data including ethnic origin, religion, disabilities, sexual orientation, and health information.

Factors taken into account by the ICO when calculating the fine

The ICO investigation found that Interserve (among other things) did not act on warnings of suspicious activity, it used outdated systems and protocols, and it lacked adequate staff training. When calculating the penalty, the ICO considered these to be aggravating factors, which ultimately contributed to the £4.4 million figure. In addition, when calculating the penalty, the ICO considered the following:

1. Number of affected individuals and the level of damage suffered by them – Attackers were able to access the personal data of up to 113,000 individuals, including special category data.
2. Nature, gravity, and duration of the infringement – The volume and type of personal data involved in the incident were considered significant. Further, for a period of up to three months, affected individuals were unable to obtain timely access to all of their personal data.
3. Negligent character of the infringement – Whilst not intentional or deliberate, the infringements resulted from negligence. Interserve failed to adequately consider the key requirement to protect personal data.
4. Action taken to mitigate damage suffered by individuals – Although Interserve restored the personal data, this was not undertaken in a timely manner. Interserve made substantial financial investments to raise its security standards following the incident, but the ICO Notice states those steps could and should have been taken much earlier.
5. Degree of responsibility and cooperation with the ICO – Interserve was considered responsible for the security of its systems. Interserve fully cooperated with the ICO.
6. Size of the organisation – Given Interserve’s size, and particularly the size of its workforce and the volume and nature of personal data it processed about that workforce, higher standards of security were expected.
7. Previous regulatory action and directions ‒ Interserve had been the subject of two previous personal data breach incidents, following which the ICO had directed Interserve to review the ICO’s GDPR Guidance, including its Security Guidance.
8. Impact of COVID-19 and remote working – When the Interserve employee clicked on the phishing link, this action was not protected by Interserve’s corporate internet filtering system because the employee was working remotely through a split tunnelling arrangement. This arrangement meant that activities were routed through the employee’s own internet connection. In normal circumstances, the phishing link would have been blocked by the filtering, but it was not blocked by the employee’s own arrangements.

How can organisations help protect themselves?

The ICO’s decision is an emphatic reminder to organisations that they should at all material times be aware of and comply with published guidance from the ICO and the National Cyber Security Centre (NCSC).[1] Organisations should ensure compliance with industry best practice standards from the National Institute of Standards and Technology (NIST) (including NIST 800-50, 800-53, and 800-54) and the International Organisation for Standardisation (ISO) (including ISO 27001 and 27002). The Notice highlights the following specific information security requirements:

1. Implement and maintain supported operating systems, software, and protocols – Including planning for and implementing a technology refresh schedule, replacing system components when support for the components is no longer available, and conducting a risk assessment that identifies threats to, and vulnerabilities in, the system.
2. Implement and maintain appropriate end-point protections – Including installing up-to-date anti-virus and anti-malware software, implementing application allow/deny list solutions, disabling or constraining scripting environments and macros, and configuring host-based firewalls.
3. Conduct regular and effective vulnerability scanning and penetration testing – In this case, the ICO found that no penetration testing had been conducted by Interserve in the two years prior to the incident.
4. Implement appropriate and effective information training – Ensure training for all employees prior to obtaining access to the IT system, including specific phishing training and safe remote working practices.
5. Conduct an effective and timely investigation into the cause of an initial attack – This may include conducting information security forensic analysis and dealing with information security weaknesses and post-incident analyses to identify the source of the incident.
6. Effectively manage privileged account access – Ensure that a minimum number of users are given domain privileges and only where strictly necessary.
7. Adopt and implement appropriate policies and standards directed at information security – Ensure that these are effectively implemented and adhered to, with appropriate management oversight through the use of internal audits to ensure their continuing suitability, adequacy, and effectiveness.

While the ICO’s decision against Interserve is an important reminder for organisations not to forget about their security measures, it also offers a sobering tale for employees and workers in remote working arrangements. Even if your organisation implements the most up-to-date security measures on its end, they can be overcome if your remote arrangements do not have sufficient protection, such as strong passwords home WiFi and secure connections to your organisation’s VPN network and firewalls.

Harry Anderson, a trainee solicitor in our London office, contributed to the drafting of this Client Alert.

[1] Guidance includes: NCSC and ICO Guidance on “GDPR security outcomes” (2018); NCSC Guidance on “Mitigating malware and ransomware attacks” (2020); and NCSC Guidance on “Vulnerability management” (2016).