UK: ICO issues Fine and Warning to Company for Failing to Protect Staff’s Personal Data
Authors: Corinna Harris and Charles Urquhart
An Interserve employee forwarded a phishing email, which was not quarantined or blocked by the Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. Interserve’s anti-virus quarantined the malware and sent an alert, but because they failed to investigate the suspicious activity thoroughly, they weren’t aware that the attacker still had access to their systems.
Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable, including their contact details, national insurance numbers and bank account details, as well as special category data including ethnic origin, religion, details of disabilities, sexual orientation and health information.
The ICO investigation found that Interserve failed to follow up on the original alert of a suspicious activity, used outdated software systems and protocols, did not adequately train staff and had insufficient risk assessments which meant they were vulnerable to a cyber-attack.
Key Action Points for Human Resources and In-house Counsel
The ICO warned that: “The biggest cyber risk businesses face is … from complacency within their company” rather than from hackers. Businesses should ensure that the steps they take to protect them from a cyber-attack include following up on the original alert of a suspicious activity, providing adequate staff training and carrying out risk assessments.