The Information Commissioner’s Office (ICO) has this week fined Interserve Group Limited £4.4 million in respect of data security failures exposed by a phishing attack that compromised the personal data of up to 113,000 of its current and former employees.
In its Monetary Penalty Notice, the ICO found that between 18 March 2019 and 1 December 2020 the company had failed to process personal data in a manner that ensured appropriate security as required by Article 5(1)(f) and Article 32 GDPR. This rendered Interserve vulnerable to a cyber-attack that took place in the period 30 March 2020 to 2 May 2020. The personal data held on the compromised databases included not only contact details, National Insurance numbers, bank account details, birth dates, education details and salary, but also special category personal data including ethnic origin, religion, details of disabilities, sexual orientation and health information.
The ICO found that Interserve had breached its information security obligations in a number of ways, including:
Many of these breaches contravened Interserve’s own policies and procedures, and industry best practice standards, and the ICO found that Interserve ought reasonably to have been aware of the risks posed by these failings. Taken together, they materially increased the risk of an attack occurring, and the seriousness of the consequences of an attack, and constituted a serious contravention of Interserve’s obligations under the GDPR.
Noting that this was a significant and multi-faceted contravention of the GDPR, in which the contraventions continued for a significant period, the Information Commissioner imposed a penalty on Interserve of £4,400,000. This was on the basis that this would be effective, dissuasive and proportionate given the failings identified, the financial position of the company and the improvements made by the company to mitigate the future risk to data subjects. The amount of the penalty also took into account the fact that Interserve had fully cooperated with the ICO’s investigation.
It is not yet clear whether Interserve intends to appeal against the decision.
The ICO’s decision serves as a reminder of the financial and reputational cost of failing to comply with information security obligations. Although the penalty imposed on Interserve was a relatively small percentage (less than one fifth of 1% of its last reported revenues), it is nevertheless a significant sum, and the reputational damage to Interserve could be considerable.
It is also interesting that Interserve Group Ltd was held to be the relevant controller for the purpose of enforcement, despite the fact the phishing attack and the security failings involved a number of group companies. Where a parent company is responsible for the group’s information security, it will often be much simpler for the ICO to penalise the parent company and not target multiple group companies.
Finally, it was significant that although Interserve had extensive policies and standards governing information security, in fact these policies were not implemented nor were they subject to appropriate senior management oversight. Drafting appropriate policies is of course a key step in delivering information security standards; however policies alone are insufficient unless they are properly implemented and overseen. Regular and effective staff training will be critical for organisations to demonstrate information security compliance to the ICO, and minimise the risk of cyber-attacks and breaches of data protection legislation.
For further information on how this issue might affect your organisation, please get in touch with your usual Penningtons Manches Cooper contact or Sam Rose, Joanne Vengadesan or Anna Frankum. We have considerable experience advising on data protection and have developed our Data Protection Compliance Service as an end-to-end solution to enable businesses of all sizes to achieve compliance. For further information click here.