£4.4m fine shows the need to prevent phishing attacks

Share
Hackers accessed the personal data of up to 113,000 employees through a phishing email, highlighting the importance of understanding the risks of attacks

Britain’s data watchdog has fined a construction company £4.4mn for failing to keep the personal information of its staff secure.

The Information Commissioner’s Office (ICO) found that Interserve failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.

The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

According to the ICO, in March 2020 an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee's workstation.

The company’s anti-virus quarantined the malware and sent an alert, but the ICO said Interserve failed to thoroughly investigate the suspicious activity. 

The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.

Importance of understanding the risks of phishing attacks

The announcement highlights the importance of organisations and their staff understanding the risks of cybersecurity and how they can best protect themselves from attacks, says Sridhar Iyengar, MD for Zoho Europe.

“Implementing and executing an effective data privacy policy takes work and commitment,” he comments. “Businesses need to understand where their data security weaknesses reside, before they can address them. For example, organisations that opt for a remote or hybrid working model might not have full oversight on who or what is connecting to their networks. Without the right privacy best-practice policies and security measures in-place, there’s nothing to deter employees from using their own, often unprotected, devices, networks and communication channels to handle extremely sensitive business data. Training and culture form a core part of how employees operate and leaders must ensure their staff both understand and adopt the right practices to adhere to privacy and security policies.”

Research by automation platform Ivanti has found that the global shift to remote work has exacerbated the onslaught, sophistication and impact of phishing attacks. Nearly three-quarters (74%) of respondents said their organisations have fallen victim to a phishing attack in the last year.

According to the World Economic Forum (WEF), the pandemic has accelerated progress towards remote working and digitisation. With so much more personal information now online, companies, institutions, infrastructure and even democracies are being maliciously targeted by actors wishing to exploit it.

Organisations must have plans in place to deal with attempts to target and exploit the personal data and identities of customers and employees. They must commit adequate resources to manage the converging digital and physical risks of identity-based cyber attacks, as almost 50% of security leaders report an increase in physical security threats and incidents at their company over the last year.

Last month, the ICO issued TikTok with a “notice of intent” of up to £27mn for failing to protect the privacy of children between 2018 and 2020. Earlier this year, the ICO and the National Cyber Security Centre (NCSC) urged UK companies to bolster their digital security as the Russian invasion of Ukraine loomed.

Share

Featured Articles

Why AWS is Committing $5bn to Thailand Cloud Infrastructure

AWS expands its Asia-Pacific presence with three new availability zones in Thailand, as financial services firms lead cloud adoption

The Impact of Meta’s New Policies on Social Media Worldwide

Meta shifts from third-party fact-checking to community-driven content moderation, raising concerns about misinformation and user safety

Google Cloud Names Former Microsoft Exec to Lead EMEA Push

Former Microsoft and Accenture executive Maureen Costello takes helm as cloud computing battle intensifies in European and African markets

Nvidia’s New AI Innovations at CES 2025: Explained

AI & Machine Learning

Microsoft's AI Vision For America’s Technological Future

AI & Machine Learning

Nvidia's New Affordable Gen AI Supercomputer: Explained

AI & Machine Learning