United Kingdom
Interserve Group Limited
GDPR enforcement action by Information Commissioner (ICO) on 2022-10-19.
Case details
- Authority
- Information Commissioner (ICO)
- Date
- 2022-10-19
- Controller / Processor
- Interserve Group Limited
- Sector
- Industry and Commerce
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The British DPA has fined the construction group Interserve Group Limited EUR 5,033,000. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR.
Interserve had suffered a cyber attack in which the attackers sent a phishing mail to the mailbox of Interserve's accounting team. The mail was opened by an employee who also downloaded and opened an attached zip file. This allowed the attackers to install malware and siphon off personal data from 113,000 employees. The siphoned data contained bank account information, social security numbers, ethnicity, sexual orientation and religion of the data subjects, among other things.
The DPA's investigation found that inadequate security measures allowed the attack to occur.
Interservere employees, for example, had not been adequately trained on data privacy.
In addition, Interserve processed personal data on unsupported operating systems that were no longer subject to security updates to address vulnerabilities in the system. Also, Interserve had not conducted adequate vulnerability scans. Finally, Interserve's information security team had not sufficiently investigated the attack as antivirus software reported that the malware had been removed.
Related fines