£4.4m fine shows the need to prevent phishing attacks

Britain’s data watchdog has fined a construction company £4.4mn for failing to keep the personal information of its staff secure.

The Information Commissioner’s Office (ICO) found that Interserve failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

According to the ICO, in March 2020 an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee's workstation.

The company’s anti-virus quarantined the malware and sent an alert, but the ICO said Interserve failed to thoroughly investigate the suspicious activity. 

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

Importance of understanding the risks of phishing attacks

The announcement highlights the importance of organisations and their staff understanding the risks of cybersecurity and how they can best protect themselves from attacks, says Sridhar Iyengar, MD for Zoho Europe.

“Implementing and executing an effective data privacy policy takes work and commitment,” he comments. “Businesses need to understand where their data security weaknesses reside, before they can address them. For example, organisations that opt for a remote or hybrid working model might not have full oversight on who or what is connecting to their networks. Without the right privacy best-practice policies and security measures in-place, there’s nothing to deter employees from using their own, often unprotected, devices, networks and communication channels to handle extremely sensitive business data. Training and culture form a core part of how employees operate and leaders must ensure their staff both understand and adopt the right practices to adhere to privacy and security policies.”

Research by automation platform Ivanti has found that the global shift to remote work has exacerbated the onslaught, sophistication and impact of phishing attacks. Nearly three-quarters (74%) of respondents said their organisations have fallen victim to a phishing attack in the last year.

According to the World Economic Forum (WEF), the pandemic has accelerated progress towards remote working and digitisation. With so much more personal information now online, companies, institutions, infrastructure and even democracies are being maliciously targeted by actors wishing to exploit it.

Organisations must have plans in place to deal with attempts to target and exploit the personal data and identities of customers and employees. They must commit adequate resources to manage the converging digital and physical risks of identity-based cyber attacks, as almost 50% of security leaders report an increase in physical security threats and incidents at their company over the last year.

Last month, the ICO issued TikTok with a “notice of intent” of up to £27mn for failing to protect the privacy of children between 2018 and 2020. Earlier this year, the ICO and the National Cyber Security Centre (NCSC) urged UK companies to bolster their digital security as the Russian invasion of Ukraine loomed.