£4.4m fine shows the need to prevent phishing attacks
Britain’s data watchdog has fined a construction company £4.4mn for failing to keep the personal information of its staff secure.
The Information Commissioner’s Office (ICO) found that Interserve failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
The compromised data included personal information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.
According to the ICO, in March 2020 an Interserve employee forwarded a phishing email, which was not quarantined or blocked by Interserve’s system, to another employee who opened it and downloaded its content. This resulted in the installation of malware onto the employee's workstation.
The company’s anti-virus quarantined the malware and sent an alert, but the ICO said Interserve failed to thoroughly investigate the suspicious activity.
The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
Importance of understanding the risks of phishing attacks
The announcement highlights the importance of organisations and their staff understanding the risks of cybersecurity and how they can best protect themselves from attacks, says Sridhar Iyengar, MD for Zoho Europe.
Research by automation platform Ivanti has found that the global shift to remote work has exacerbated the onslaught, sophistication and impact of phishing attacks. Nearly three-quarters (74%) of respondents said their organisations have fallen victim to a phishing attack in the last year.
According to the World Economic Forum (WEF), the pandemic has accelerated progress towards remote working and digitisation. With so much more personal information now online, companies, institutions, infrastructure and even democracies are being maliciously targeted by actors wishing to exploit it.
Organisations must have plans in place to deal with attempts to target and exploit the personal data and identities of customers and employees. They must commit adequate resources to manage the converging digital and physical risks of identity-based cyber attacks, as almost 50% of security leaders report an increase in physical security threats and incidents at their company over the last year.
Last month, the ICO issued TikTok with a “notice of intent” of up to £27mn for failing to protect the privacy of children between 2018 and 2020. Earlier this year, the ICO and the National Cyber Security Centre (NCSC) urged UK companies to bolster their digital security as the Russian invasion of Ukraine loomed.
- AWS Summit: AWS announces B2B SaaS Accelerator cohortCloud & Cybersecurity
- Analysis: Apple reveals Vision Pro extended reality headsetDigital Transformation
- Threat intelligence crucial, but isn’t one-size-fits-allCloud & Cybersecurity
- ISACA announces pledge to grow European cyber workforceCloud & Cybersecurity