ICO (UK) - Interserve Group Limited monetary penalty notice
|ICO - Interserve Group Limited monetary penalty notice|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
|National Case Number/Name:||Interserve Group Limited monetary penalty notice|
|European Case Law Identifier:||n/a|
|Original Source:||ICO (in EN)|
The UK DPA imposed a fine of around €5,100,000 (GBP 4,400,000) on the controller for failing to implement appropriate technical and organisational measures to secure employee's personal data, which contributed to a data breach caused by a cyberattack, contrary to Articles 5(1)(f) and 32 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
A construction company (controller) suffered a data breach, which was triggered by the controller's employee opening a phishing email, which contained malware. The controller's virus scanner removed some of the malware, but the hacker still had access to the employee's computer and infected some additional servers and systems. The attacker used the access to uninstall the controller's anti-virus solution which resulted in the personal data of up to 113,000 employees being compromised. The attacker encrypted the data and made it unavailable for the controller. The compromised data included several categories of personal data as well as sensitive data and special categories of data. At the time of the attack, one of the two employees who received the phishing email had not undertaken data protection training. On 5 May 2020, the controller submitted a personal data breach notification to the UK DPA (DPA). The DPA subsequently commenced an investigation into the breach.
Holding[edit | edit source]
The DPA found that the controller failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures required by Articles 5(1)(f) and Article 32 GDPR. This rendered the controller vulnerable to a cyber-attack which affected the personal data of up to 113,000 employees.
With regard to Article 5(1)(f) GDPR, the DPA held that the controller failed to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f) GDPR.
The DPA found that during the relevant period, the controller was processing personal data on unsupported operating systems which no longer received security updates at the time of the breach. The controller also failed to undertake any formal risk assessments in relation to using those systems. In addition, the controller also failed to implement appropriate end-point protection and failed to conduct regular and effective vulnerability scanning and penetration testing. The controller also failed to provide appropriate and effective information security training to its employees. Other conditions, including the failure to update a client-server communication protocol (SMB 1) to a newer version, the failure to conduct an effective and timely investigation into the cause of the initial attack and the failure to effectively manage access of privileged accounts (280 users within the domain administrator group), all contributed to a breach of Article 5(1)(f) GDPR. Overall, the DPA accepted that each of the above contraventions, if considered in isolation, were not necessarily causative of the incident nor a serious contravention of Article 5(1)(f) GDPR. However, the cumulative failures materially increased both the risk of an attack occurring, and increased the seriousness of the consequences of an attack. Taken together, the failures did constitute a serious contravention of Article 5(1)(f) GDPR.
The DPA also stated that the controller's failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32(1) GDPR). Specifically, the DPA stated the use of outdated operating systems, outdated protocols, ineffective endpoint security and the failure to ensure employees had undertaken phishing training was contrary to Article 32(1)(b) GDPR, because the controller failed to implement appropriate technical and organisational measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The controller also failed to implement appropriate technical and organisational measures to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, which was contrary to Article 32(1)(c) GDPR. The DPA described several instances were the personal data stored on different systems was unavailable for several months. Lastly, the controller also failed to implement appropriate technical and organisational measures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing, which was contrary to Article 32(1)(d) GDPR.
When calculating the financial penalties, the DPA considered the factors described in Article 83(2) GDPR to decide to impose a penalty or not. The DPA took the view that this was a significant contravention of the GDPR in particular regarding the volume of personal data processed and the nature of the personal data, which included special category data. The volume and type of personal data being processed by the controller required robust security measures to be put in place with appropriate controls and oversight. Further, the breach compromised personal data relating to up to 113,000 data subjects. Their personal data was processed unlawfully. This increased the seriousness and gravity of the breach. Despite the negligent nature of the breach, the DPA took into account the controller's size, and particularly the size of its workforce and the volume and nature of personal data it processed. This meant that higher standards of security were expected in comparison with a smaller organisation.
After also considering the mitigating factors, the DPA decided to impose a penalty on the controller of around €5,100,000 (GBP 4,400,000), on the basis that this would be effective, dissuasive and proportionate given the failings identified, the current status of the controller and steps taken to improve measures which mitigate the future risk to data subjects.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the English original. Please refer to the English original for more details.