The ICO recently fined construction company Interserve Group Ltd £4.4m in response to their failure to sufficiently protect the personal information of their staff, breaching data protection law.
So, what happened?
A seemingly innocuous chain of events with disastrous consequences: an employee forwarded a phishing email to another employee, who then opened and downloaded its contents – installing malware in the process. One email which evaded Interserves’ security system was able to compromise 283 systems and 16 accounts, with around 133,000 members of staff affected.
The data accessed by hackers included some special category data, increasing the severity of the data breach. The information collected included;
- Contact details
- National Insurance numbers
- Bank account details
- Ethnic origin
- Religion
- Disabilities
- Sexual orientation
- Medical information
Interserves’ culpability
The ICO concluded that Interserve had not only failed to recognise and respond to warning signs of suspicious activity but had neglected to implement a successful data protection culture in the workplace. Their security systems were outdated and their staff were not sufficiently trained to recognise potential data breaches.
The Interserve incident serves as a reminder to all of us that complacency remains the greatest asset in a hacker’s arsenal. As ICO Commissioner John Edwards warned;
“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”
We couldn’t have said it any better ourselves!
DPAS is here to help your organisation comply with data protection laws. Staff training and awareness for both Information Security, Cyber Security and Data Protection should be on the agenda at all times. It doesn’t always need to be a day-long course, there are so many options available.
From conducting an audit to identify areas of weakness to providing staff training, you can get in touch with us at info@dataprivacyadvisory.com or give us a call on 0203 301 3384 and we can walk you through the best options for your business.