ICO (UK) - Interserve Group Limited monetary penalty notice
| ICO - Interserve Group Limited monetary penalty notice | |
|---|---|
 | |
| Authority: | ICO (UK) |
| Jurisdiction: | United Kingdom |
| Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 24.10.2022 |
| Published: | |
| Fine: | 4,400,000 GBP |
| Parties: | n/a |
| National Case Number/Name: | Interserve Group Limited monetary penalty notice |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | ICO (in EN) |
| Initial Contributor: | Lauren |
The UK imposed a fine of GBP 4,400,000 on the controller for failing to implement appropriate technical and organisational measures to secure employee's personal data which contributed to a data breach caused by a cyberattack, contrary to Article 5(1)(f) and 32 GDPR.
English Summary
Facts
The controller is a construction company. It had previously reported a data breach to the UK DPA, which took place between 18 March 2019 and 1 December 2020. The data breach was triggered by the controller's employee opening a phishing email which contained malware. The controller's virus scanner removed some of the malware, but the hackers still had access to the employee's computer and infected some additional servers and systems. The controller's anti-virus solution was uninstalled and the personal data of up to 113,000 employees was compromised. The compromised data included contact details, telephone number, email address, national insurance number, bank account details, marital status, birth date, education, country of birth, gender, number of dependants, emergency contact information and salary from the HR databases. Sensitive data and special category personal data including ethnic origin, religion, details of disabilities, sexual orientation, health information relevant to ill-heath retirement applications were also compromised. At the time of the attack, one of the two employees who received the phishing email had not undertaken data protection training. On 5 May 2020 the controller submitted a personal data breach notification to the DPA. The DPA subsequently commenced an investigation in relation to the matters relating to the breach.
Holding
As part of the investigation, the DPA found that the controller failed to process personal data in a manner that ensured appropriate security of the personal data using appropriate technical and organisational measures as required by Article 5(1)(f) and Article 32 GDPR. This rendered the controller vulnerable to a cyber-attack and affected the personal data of up to 113,000 employees.
With regard to Article 5(1),the DPA held that the controller failed to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5(1)(f). The DPA found that during the relevant period, the controller was processing personal data on unsupported operating systems and failed to undertake any formal risk assessments in relation to using those systems. In addition, the controller also failed to implement appropriate end-point protection and to conduct regular and effective vulnerability scanning and penetration testing. The controller also failed to provide appropriate and effective information training to its employees. Other conditions, including failure to update protocol SMB 1, failure to conduct an effective and timely investigation into the cause of the initial attack and failure to effectively manage privileged accounts access all contributed to a breach of Article 5(1)(f). Overall, the DPA accepts that each of the above contraventions, if considered in isolation, are not necessarily causative of the Incident nor a serious contravention of Article 5(1)(f), however the cumulative failures materially increased the risk of an attack occurring, and the seriousness of the consequences of an attack, and taken together do constitute a serious contravention of Article 5(1)(f).
By virtue of the conditions set out above, the controller's failure to implement appropriate technical and organisational measures for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing was contrary to Article 32(1)(d).
When calculating the financial penalties, the DPA took the view that this was a significant contravention of the GDPR in particular having regard to the volume of personal data processed by the controller and the nature of the personal data included special category data. The volume and type of personal data being processed by the controller required robust security measures to be put in place with appropriate controls and oversight. Further, the breach compromised personal data relating to up to 113,000 data subjects and their personal data were all processed unlawfully. This increased the seriousness and gravity of the breach. Despite the negligent nature of the breach, the DPA took into account the controller's size, and particularly the size of its workforce and the volume and nature of personal data it processed about that workforce, meant that higher standards of security are expected of it than would be expected of a much smaller organisation.
After considering also the mitigating factors, the DPA decided to impose a penalty on the controller of GBP 4,400,000, on the basis that this would be effective, dissuasive and proportionate given the failings identified, the current status of the controller and steps taken to improve measures which mitigate the future risk to data subjects.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
https://ico.org.uk/media/action-weve-taken/mpns/4021951/interserve-group-limited-monetary-penalty-notice.pdf
