ICO (UK) - Interserve Group Limited monetary penalty notice

From GDPRhub
Revision as of 16:05, 22 November 2022 by Kv (talk | contribs) (Stylistic changes and provided links to GPDR articles)
ICO - Interserve Group Limited monetary penalty notice
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 24.10.2022
Published:
Fine: 4,400,000 GBP
Parties: n/a
National Case Number/Name: Interserve Group Limited monetary penalty notice
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: Lauren

The UK imposed a fine of GBP 4,400,000 on the controller for failing to implement appropriate technical and organisational measures to secure employee's personal data, which contributed to a data breach caused by a cyberattack, contrary to Articles 5(1)(f) and 32 GDPR.

English Summary

Facts

A construction company (controller) suffered a data breach), which took place between 18 March 2019 and 1 December 2020. The data breach was triggered by the controller's employee opening a phishing email which contained malware. The controller's virus scanner removed some of the malware, but the hackers still had access to the employee's computer and infected some additional servers and systems. The attacker used it’s access to uninstall the controller's anti-virus solution  which resulted in the personal data of up to 113,000 employees being compromised. The attacker encrypted the data and made it unavailable for the controller. The compromised data included several categories of personal data as well as sensitive data and special categories of data. At the time of the attack, one of the two employees who received the phishing email had not undertaken data protection training. On 5 May 2020 the controller submitted a personal data breach notification to the UK DPA (DPA). The DPA subsequently commenced an investigation into the breach.

Holding

The DPA found that the controller failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures required by Articles 5(1)(f) and Article 32 GDPR. This rendered the controller vulnerable to a cyber-attack which affected the personal data of up to 113,000 employees.

With regard to Article 5(1) GDPR, the DPA held that the controller failed to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) GDPR. The DPA found that during the relevant period, the controller was processing personal data on outdated operating systems. The controller also failed to undertake any formal risk assessments in relation to using those systems. In addition, the controller also failed to implement appropriate end-point protection and to conduct regular and effective vulnerability scanning and penetration testing. The controller also failed to provide appropriate and effective information training to its employees. Other conditions, including the failure to update a client-server communication protocol (SMB 1) to a newer version, the failure to conduct an effective and timely investigation into the cause of the initial attack and the failure to effectively manage access of privileged accounts  all contributed to a breach of Article 5(1)(f) GDPR. Overall, the DPA accepted that each of the above contraventions, if considered in isolation, are not necessarily causative of the Incident nor a serious contravention of Article 5(1)(f) GDPR. However the cumulative failures materially increased the risk of an attack occurring, and the seriousness of the consequences of an attack. Taken together, the failures did constitute a serious contravention of Article 5(1)(f) GDPR.

By virtue of the conditions set out above, the controller's failure to implement appropriate technical and organisational measures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing was contrary to Article 32(1)(d) GDPR.

When calculating the financial penalties, the DPA took the view that this was a significant contravention of the GDPR in particular regarding the volume of personal data processed and the nature of the personal data, which included special category data. The volume and type of personal data being processed by the controller required robust security measures to be put in place with appropriate controls and oversight. Further, the breach compromised personal data relating to up to 113,000 data subjects. Their personal data was processed unlawfully. This increased the seriousness and gravity of the breach. Despite the negligent nature of the breach, the DPA took into account the controller's size, and particularly the size of its workforce and the volume and nature of personal data it processed. This meant that higher standards of security were expected in comparision with a smaller organisation.

After also considering the mitigating factors, the DPA decided to impose a penalty on the controller of GBP 4,400,000, on the basis that this would be effective, dissuasive and proportionate given the failings identified, the current status of the controller and steps taken to improve measures which mitigate the future risk to data subjects.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

https://ico.org.uk/media/action-weve-taken/mpns/4021951/interserve-group-limited-monetary-penalty-notice.pdf