ICO (UK) - Interserve Group Limited monetary penalty notice
ICO - Interserve Group Limited monetary penalty notice | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 24.10.2022 |
Published: | |
Fine: | 4,400,000 GBP |
Parties: | n/a |
National Case Number/Name: | Interserve Group Limited monetary penalty notice |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | Lauren |
The UK imposed a fine of GBP 4,400,000 on the controller for failing to implement appropriate technical and organisational measures to secure employee's personal data, which contributed to a data breach caused by a cyberattack, contrary to Articles 5(1)(f) and 32 GDPR.
English Summary
Facts
A construction company (controller) suffered a data breach, which took place between 18 March 2019 and 1 December 2020. The data breach was triggered by the controller's employee opening a phishing email which contained malware. The controller's virus scanner removed some of the malware, but the hackers still had access to the employee's computer and infected some additional servers and systems. The attacker used the access to uninstall the controller's anti-virus solution which resulted in the personal data of up to 113,000 employees being compromised. The attacker encrypted the data and made it unavailable for the controller. The compromised data included several categories of personal data as well as sensitive data and special categories of data. At the time of the attack, one of the two employees who received the phishing email had not undertaken data protection training. On 5 May 2020, the controller submitted a personal data breach notification to the UK DPA (DPA). The DPA subsequently commenced an investigation into the breach.
Holding
The DPA found that the controller failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures required by Articles 5(1)(f) and Article 32 GDPR. This rendered the controller vulnerable to a cyber-attack which affected the personal data of up to 113,000 employees.
With regard to Article 5(1) GDPR, the DPA held that the controller failed to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) GDPR. The DPA found that during the relevant period, the controller was processing personal data on outdated operating systems. The controller also failed to undertake any formal risk assessments in relation to using those systems. In addition, the controller also failed to implement appropriate end-point protection and failed to conduct regular and effective vulnerability scanning and penetration testing. The controller also failed to provide appropriate and effective information training to its employees. Other conditions, including the failure to update a client-server communication protocol (SMB 1) to a newer version, the failure to conduct an effective and timely investigation into the cause of the initial attack and the failure to effectively manage access of privileged accounts, all contributed to a breach of Article 5(1)(f) GDPR. Overall, the DPA accepted that each of the above contraventions, if considered in isolation, were not necessarily causative of the incident nor a serious contravention of Article 5(1)(f) GDPR. However the cumulative failures materially increased the risk of an attack occurring, and the seriousness of the consequences of an attack. Taken together, the failures did constitute a serious contravention of Article 5(1)(f) GDPR.
By virtue of the conditions set out above, the controller's failure to implement appropriate technical and organisational measures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing was contrary to Article 32(1)(d) GDPR.
When calculating the financial penalties, the DPA took the view that this was a significant contravention of the GDPR in particular regarding the volume of personal data processed and the nature of the personal data, which included special category data. The volume and type of personal data being processed by the controller required robust security measures to be put in place with appropriate controls and oversight. Further, the breach compromised personal data relating to up to 113,000 data subjects. Their personal data was processed unlawfully. This increased the seriousness and gravity of the breach. Despite the negligent nature of the breach, the DPA took into account the controller's size, and particularly the size of its workforce and the volume and nature of personal data it processed. This meant that higher standards of security were expected in comparision with a smaller organisation.
After also considering the mitigating factors, the DPA decided to impose a penalty on the controller of GBP 4,400,000, on the basis that this would be effective, dissuasive and proportionate given the failings identified, the current status of the controller and steps taken to improve measures which mitigate the future risk to data subjects.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
https://ico.org.uk/media/action-weve-taken/mpns/4021951/interserve-group-limited-monetary-penalty-notice.pdf