The ICO issues a firm warning to businesses as it fines UK construction firm, Interserve Group Limited, £4.4 million

The UK’s data protection regulator, the Information Commissioner’s Office (ICO), recently published details of its most recent monetary penalty notice. This latest notice imposes a penalty of £4.4 million on construction and outsourcing firm, Interserve Group Limited, arising from a cyber-attack in 2020.

Here, we look at what businesses can learn from the notice and what it reveals about the ICO’s enforcement strategy.

What was the nature of the cyber incident?

In March 2020, an Interserve employee received an email containing a malicious link which, when clicked, would infect the recipient with malware. The email was distributed internally and eventually the link was opened by an Interserve employee. Due to the employee logging on via a ‘split tunnelling’ method, the company’s antivirus software was not able to fully detect and delete the malware.

After the employee’s laptop was infected with the malware, Interserve’s antivirus software automatically removed some of the malware, but crucially not all, and a secondary review was not undertaken to ensure that all malware had been identified and removed. As a result, a malicious third-party was able to move laterally through Interserve’s systems and compromise 283 systems and 16 accounts (12 of which were privileged). The motivation of the attack was seemingly to detonate ransomware on the Interserve’s systems which was achieved by 2 May 2020. Personal and sensitive data relating to up to 113,000 individuals was present on the affected systems.

It is not clear from the notice whether a ransom was paid to the cybercriminal to avoid publication of data or obtain decryption keys, or whether personal data was exfiltrated from Interserve’s systems.

How did the ICO establish any breach of the DPA/GDPR?

The notice sets out that Interserve failed to comply with Articles 5(1)(F) and 32 of the GDPR. There are a number of specific failures cited by the ICO which they state amount to material breaches of the GDPR.

Breaches of Article 5(1)(F)

  1. “Unsupported operating systems”
    The ICO found that the failure of Interserve to maintain supported operating systems breached its own systems management policy and standards, as well as industry standards.
  2. “Endpoint protection”
    The ICO found that the failure to keep endpoint protection up to date, enable host-based firewalls, implement “allow or deny” lists and their failure to prevent macros from executing on the compromised host constitute a collective breach of the GDPR. These practices failed to comply with Interserve’s own standards and relevant guidance from the NCSC and McAfee.
  3. “Threat and vulnerability policy”
    As Interserve had failed to undertake penetration testing for two years, the ICO considered this to be a breach of Article 5(1)(F) as it constituted a failure to comply with Interserve’s own policy and NCSC guidance.
  4. “Information Security Training”
    At the time of the cyber-attack, one of the two affected employees had not had information security training. This was deemed contrary to Interserve’s own policies, and NCSC guidance.
  5. “Outdated protocols”
    At the time of the incident, the insured were deploying software which had since been replaced by updated versions. The ICO considered this to be contrary to Interserve’s own policies, Microsoft guidance.
  6. “Incident Response”
    Following the initial attack and the alert triggered by anti-virus software, the ICO consider that Interserve did not thoroughly investigate and remediate allowing the cybercriminal to retain access. This is considered by the ICO to be a breach of Interserve’s own systems, as well as relevant industry standards.
  7. “Privileged Account Management”
    At the time of the incident, Interserve had 280 users within the domain administrator group of which 12 were compromised. The ICO considers that the failure to adequately manage privileged groups is likely to have contributed to the cybercriminal’s ability to traverse Interserve’s network.

Breaches of Article 32

In addition, the failure to ensure employees had undertaken phishing training and to implement adequate technical and organisational measures led the ICO to further conclude that Interserve had breached Article 32 of the GDPR.

The ICO also set out alleged failures in respect of restoring data with it taking over two months to restore keys systems and personal data. The reason for the restoration timeline is not made clear in the notice.

The ICO investigation timeline

It is worth noting the timescales of the ICO’s enforcement process. The ICO were notified of the incident on 5 May 2020, with their investigation running for almost two years culminating in a notice of intent to impose a penalty on 27 April 2022.

There were then subsequent exchanges and a ‘representations meeting’ held at which point the ICO affirmed their decision to issue a penalty.

With the notice then being issued formally on 24 October 2022, the total time since the ICO were notified is almost two and a half years, with Interserve still having a right to appeal.

How was the fine calculated?

The criteria that the ICO will consider when issuing any regulatory fine is set out in their Regulatory Action Policy (RAP) and is broken into five steps which are summarised below. Step 2 was key in this incident.

Step 1: Removing any initial gain

As Interserve were the victim of this incident, they did not gain financially, and so this section was calculated as nil. In the context of an external cyber attack it is always likely that this section will be nil (save in exceptional circumstances).

Step 2: Adding in an element to censure the breach based on its scale and severity

In this notice, this was the key step, as it relates to each of the relevant provisions in Article 32 of the GDPR which sets out the relevant conditions for imposing administrative fines.

As this incident was determined to be a “multi-faceted contravention” which continued for a significant period and affected up to 113,000 data subjects, the starting point for the penalty was deemed to be £4 million based on the nature, gravity and duration of the failure. However, it is not clear from the penalty notice how this initial figure was calculated. As a rough guide, the penalty amounts to approximately £35.40 per affected data subject.

Given the steps taken to mitigate by Interserve the fine was reduced by 12.5% to £3.5 million. The mitigation steps which were considered as material to the reduction includes:

  • The instruction of specialist professional incident response vendors.
  • Reports to the ICO, NCSC and NCA.
  • The decision to proactively contact data subjects (despite a high risk not being established).
  • The undertaking of dark web monitoring which did not show a detriment to the data subjects.

It was then considered by the ICO that Interserve had failed in its basic security requirements (as demonstrated in the breaches detailed above) which the ICO found could have been rectified without significant cost and by taking account of publicly available guidance. The size of Interserve and its workforce was also factored into these failures suggesting larger organisations will be held to a higher standard by the ICO. As a result of these aggravating factors the fine was increased by 28.5% or £1 million.

As Interserve complied with the ICO investigation, notified promptly and went beyond the minimum in respect of its security improvements, a final discount of £100,000 (2.22%) was applied.

Step 3: Adding an element to reflect any aggravating factors

This was accounted for by the ICO under step 2.

Step 4: Adding in an amount as a “deterrent effect to others”

The notice does not add any amount as a deterrent as the ICO considers “that a fine, accompanied by appropriate communications in accordance with the Regulatory Action Policy, would serve as an effective deterrent”.

Step 5: Reducing the amount to reflect any mitigating factors

This was accounted for by the ICO under step 2.

Consideration is also given to the Deregulation Act 2015 and the possible risk of any fine to economic growth as well as the possible impact on the business and wider business community. However, no adjustments were made on the basis of this legislation.

Key takeaways for businesses

This latest penalty notice from the ICO provides some useful clarity on the calculation of fines and factors which the ICO consider to take precedence. Our key takeaways are:

  1. The importance of responding to a cyber incident quickly and professionally. The ICO applied a significant reduction for the mitigation steps that Interserve took, including the appointment of breach response specialists.
  2. The size of an organisation will be considered in assessing whether the technical and organisation measures in place are reasonable. The ICO considered that the resources available to Interserve aggravated its failures.
  3. Consideration will be given to the accessibility of regular training offered to staff, encouraging staff to be aware and report any suspicious activity which may result in early detection of an incident. The ICO has emphatically reinforced the principle that organisations should be following their own best practices and industry standards such as the International Information Security Standard, Special Publications and NCSC guidance.
  4. ICO investigations can continue for several years and the ICO appear to be adopting an approach which involves in person meetings. Should the draft Data Protection and Digital Information Bill continue in parliament this would add to the ICO’s powers by granting them the power to interview as part of their enforcement process.
  5. The ICO has provided some further detail about their calculations in respect of fines. There are notable discounts of £1.1 million applied for cooperation with the ICO, the appointment of professional vendors and Interserve taking steps to mitigate the impact on data subjects (such as dark web monitoring).

It is not currently known whether Interserve intend to appeal the fine in the Information Rights Tribunal and therefore this may not be the end of the line for this regulatory penalty.

Related item: The ICOs first public demonstration of power and its reverberations through the business community