Latest News

Employee data breach: Interserve fined £4.4 million

The Information Commissioner’s Office (ICO) has issued a fine of £4.4 million to Interserve for a GDPR breach as the personal data of up to 113,000 employees was affected due to a ransomware attack.

An Interserve employee forwarded a phishing email to another employee who opened it and downloaded its content. Malware was subsequently installed onto the employee’s workstation. The company’s anti-virus software quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate. If they had investigated, they would have realised that an attacker had been given access to their system.

This is a reminder for employers that they should not be complacent in relation to cyber security. To comply with GDPR’s security obligations, employers should:

  • Regularly monitor for suspicious activity and investigate any initial warnings;
  • Update software and remove outdated or unused platforms;
  • Provide regular staff training on data security;
  • Undertake testing in relation to phishing and other threats;
  • Encourage secure passwords and multi-factor authentication; and
  • Investigate all incidents promptly to identify the cause of the incident, restore the data and check the integrity of the systems.