international employment law firm alliance L&E Global
United Kingdom

UK: ICO issues Fine and Warning to Company for Failing to Protect Staff’s Personal Data

Authors: Corinna Harris and Charles Urquhart

An Interserve employee forwarded a phishing email, which was not quarantined or blocked by the Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee’s workstation. Interserve’s anti-virus quarantined the malware and sent an alert, but because they failed to investigate the suspicious activity thoroughly, they weren’t aware that the attacker still had access to their systems.

Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable, including their contact details, national insurance numbers and bank account details, as well as special category data including ethnic origin, religion, details of disabilities, sexual orientation and health information.

The ICO investigation found that Interserve failed to follow up on the original alert of a suspicious activity, used outdated software systems and protocols, did not adequately train staff and had insufficient risk assessments which meant they were vulnerable to a cyber-attack.

Key Action Points for Human Resources and In-house Counsel

The ICO warned that: “The biggest cyber risk businesses face is … from complacency within their company” rather than from hackers. Businesses should ensure that the steps they take to protect them from a cyber-attack include following up on the original alert of a suspicious activity, providing adequate staff training and carrying out risk assessments.

ICO issues warning as company fined £4.4 million