The Information Commissioner's Office (ICO) has recently issued a penalty of £4,400,000 to the parent company of a construction business, Interserve Group Ltd (Interserve), for contravening the security provisions of the GDPR when one of its subsidiaries fell victim to a ransomware attack in early 2020, affecting the personal data of up to 113,000 employees.
Background
The incident occurred when a phishing email was sent to an employee in Interserve Construction Limited's accounts team. The email was forwarded to another employee who downloaded and extracted the ZIP file linked in the email and opened the script file, thereby unwittingly executing the installation of malware onto their device and providing the threat actor with remote access to their workstation. Although Interserve's endpoint protection tool took action to remove some of the files containing malware, Interserve undertook no further action to verify that all malware had been removed from its systems and it, in fact, transpired that the threat actor had retained ongoing access to the compromised employee's workstation.
The threat actor was subsequently able to compromise a server and move laterally to other Interserve systems, deploying tools to compromise 283 systems in total, including four HR databases containing personal data relating to up to 113,000 employees, including special category data, which the threat actor encrypted and rendered unavailable to Interserve. The compromised employee data, amongst other things, included: contact details, national insurance numbers, bank details, salary information, sexual orientation and health information.
Upon being alerted to the compromise of the data by the threat actor, Interserve promptly reported the incident to the NCSC, NCA and ICO. The ICO commenced an investigation.
The ICO's findings
The ICO found that Interserve had failed to comply with its obligations under Article 5(1)(f) of the GDPR (the requirement to process personal data in a manner that ensures appropriate security using appropriate technical or organisational measures) and Article 32 of the GDPR (the requirement to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk) for the following reasons:
- Personal data was being processed on unsupported and outdated operating systems, including the HR systems which processed significant volumes of sensitive personal information and, accordingly, these operating systems were no longer the subject of updates which could fix known vulnerabilities in the system
- There was a failure to implement appropriate end-point protection and undertake adequate vulnerability scanning and penetration testing
- Effective and appropriate security training was not implemented for all employees, and too many members of staff had wide ranging account privileges (the ICO noted that the attacker compromised multiple accounts which had permissions to uninstall anti-virus software)
- An effective and timely investigation was not undertaken following the initial attack (including a failure to undertake proper forensic analysis into the root cause of the incident) and there was a failure to implement appropriate technical and organisational measures to restore the availability and access to personal data in a timely manner contrary to Article 32(1)(c) of the GDPR.
Notably, the ICO found that many of the above failures were as a result of Interserve acting contrary to its own internal information security protocols, as well as industry standards and best practice guidance.
The ICO considered that the above failures constituted a significant and multi-faceted contravention of the GDPR and that Interserve had acted negligently in failing to comply with its obligations and follow best-practice guidance. In light of these failures and the volume and nature of sensitive personal data affected by the incident, a fine of £4,400,000 was deemed to be appropriate. It is not yet known whether Interserve will choose to appeal against the ICO's fine.
Discussion
This is the fourth largest fine ever issued by the ICO. The basis presented for the ICO's findings demonstrates that when investigating personal data breach incidents, the ICO is moving towards a more holistic assessment of whether organisations had appropriate technical and organisational measures in place to adequately protect personal data, rather than focussing solely on the security controls that are directly linked to the root cause of an incident.
Notably, in this case, the ICO found that despite Interserve having what it deemed to be an appropriate secure email gateway at the time of the incident (Forcepoint), and other relevant security measures in place, when assessing Interserve's security posture as a whole, wider deficiencies nonetheless rendered it non-compliant with the GDPR's security provisions, including its failure to properly respond to the incident by undertaking timely and proper forensic analysis and restore its systems.
It is not clear from the penalty notice whether all of the cited security deficiencies materially contributed (if at all) to the attack on Interserve or were exploited by the threat actor. This appears to be a step change in approach by the ICO from that taken in the BA and Marriott penalty notices where nearly all the focus was on kill chain and steps that could have been taken to prevent those specific incidents.
The other major change in approach, is that the ICO relied more heavily on Interserve's own policies to establish what amounted to an "appropriate" security measure under Article 32 GDPR. In previous penalty notices it has tried to establish this line by reference to external papers and briefings from the NCSC and other leading bodies on cyber security. This can lead to challenges for the ICO because those papers are often promoting "best practice" rather than what is "appropriate" being, arguably, a lower legal standard. Also external standards aimed at applying to a wide number of organisations tend to be written in high-level, general and caveated terms that do not automatically align with the specific data sets, network architecture and threat profile of different organisations.
This decision serves as a reminder that organisations should not act complacently towards cyber security. To best ensure compliance with the GDPR's security obligations, organisations should:
- Proactively review their information security policies to make sure that their real world practice is up to the standards set out in their policies
- Ensure that operating systems being used are up to date and still supported by the developers of the software, as well as undertaking penetration and other resilience training
- Regularly undertake staff training and testing in relation to phishing and other cyber security threats
- When the worst happens, investigate all incidents promptly and thoroughly to immediately diagnose the root cause of the incident, restore the availability of data and confirm the integrity of systems.
This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.