Information Commissioner finds firm’s security measures lacking

The Information Commissioner (ICO) has hit Interserve with a £4.4m fine after weak security measures allowed hackers to steal the personal data of up to 113,000 current and former employees.

Cybercriminals struck in May 2020, using a phishing email to gain access to employee information at the firm, which is a Ministry of Defence contractor and had recently been involved in the construction of the NHS Nightingale Hospital in Birmingham.

According to the ICO, the company, which employed roughly 53,500 people at the time of the attack, broke data protection law by failing to put in place appropriate technical and organisational measures in place to prevent unauthorised action of private data.


The hack took place shortly after Interserve’s involvement in the construction of Nightingale Hospital in Birmingham

A similar attempt had been made on Bam Construct, another Nightingale firm, the week prior, but unlike Interserve the company’s day-to-day operations were largely unaffected.

>> Interserve and Bam latest firms to suffer cyber attacks

Interserve data accessed by the hackers included contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

John Edwards, the UK’s information commissioner, said the biggest cyber risk for businesses was “complacency within their company”, though the company has strongly denied wrongdoing.

The ICO’s investigation found Interserve had failed to follow up on an alert of suspicious activity from its anti-virus software, which had flagged that malware had been installed onto an employee’s workstation after the staff member opened and downloaded the content of a forwarded phishing email.

The attacker subsequently compromised 283 systems and 16 accounts as well as uninstalling the company’s anti-virus solution. Personal data for up to 113,000 current and former employees was encrypted and rendered unavailable.

Edwards said: “Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information.

“This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.

>> It’s not a case of if, but when – firms face growing cyber attack threat

The investigation also found that Interserve was using outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments.

“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” said Edwards.

In a statement, the Interserve Group disputed that its response was “in any way complacent”.

“As the ICO recognises in its [monetary penalty notice], Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff,” it said.

Another attempt was made to hack Interserve in December 2020, with the firm’s equipment services arm RMD Kwikform – since sold to French construction equipment giant Altrad – this time targeted. This second attack reportedly had “very limited impact” on either RMD or its parent.