Interserve fined £4.4 million for failing to stop a phishing attack

Major construction company Interserve has been fined £4.4 million by Britain’s data watchdog. The penalty was imposed following a phishing attack during which over 113,000 workers’ financial and personal information was stolen, and the organisation failed to have measures in place to prevent it.

According to the Information Commissioner’s Office (ICO), Interserve failed to implement the necessary security measures to prevent against a cyber-attack. Because of this, hackers were able to use a phishing email to get access to the personal information of workers.

The ICO claimed that the data stolen included bank account information, contact information, and National Insurance numbers. Hackers also have access to extremely private details including racial background, religion, any physical or mental problems, gender identity, and health.

The initial attack was in March 2022 with the subsequent data leak being due to poor training, monitoring and security measures. One employee forwarded the phishing email to another who opened it and downloaded the content because security systems hadn’t blocked it

The company’s antivirus blocked the malware and sent out an alert, but according to the ICO, Interserve did not fully analyse the potentially suspicious activity.

Following the breach of 283 systems and 16 accounts, the attacker also removed the company’s anti-virus programme. Interserve Ignored the phishing attack Importance:

Interserve used old version software systems and techniques, lacked appropriate personnel training, and conducted insufficient risk assessments.

Information commissioner for the UK, John Edwards, said:

This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud. Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people’s most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company.

The highest fine that the ICO may impose is £17.5 million or 4% of the worldwide yearly revenue. If a firm can provide justifications for the reduction in penalties, it may decide to pursue it.

The ICO stated that it had decided not to lower the amount of the fine, which was the fourth biggest it had ever issued, after giving Interserve’s arguments “careful consideration.”

Phishing Attacks are Widespread

According to James Houghton, Phishing Tackle’s CEO, the news highlights how important it is for businesses and their employees to understand the risk that comes with cybersecurity and how they can effectively defend themselves from cyber-attacks.

The global trend to remote work has increased the incidence, complexity, and effect of phishing attacks, according to research from automation platform Ivanti. In the past year, phishing attacks have affected nearly three-quarters (74%) of interviewees’ organisations.

The epidemic increased the development rate of remote work and digitalisation, claims the World Economic Forum (WEF). With so much personal data now available online, businesses, organisations, infrastructure, and even governments are being specifically targeted by cybercriminals looking to profit from it.

Strategies for managing with attacks to target and exploit the credentials and personal information of clients and workers must be in place by organisations. To control the overlapping virtual and physical threats of identity-based cyberattacks, they must allocate enough resources. Nearly 50% of security executives say their organisation has noticed a rise in physical security risks and events in the past year.

For failing to protect children’s privacy between 2018 and 2020, the ICO last month issued TikTok with a “written notice” imposing fine of up to £27 million. Early this year, as the Russian invasion of Ukraine loomed, the ICO and the National Cyber Security Centre (NCSC) recommended UK businesses to strengthen their online security.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts