ICO takes action for failure to protect personal data

This week the Information Commissioner’s Office (ICO) handed Interserve a £4.4 million fine for failing to put appropriate measures in place to prevent unauthorised access of private data. One of Interserve’s employees received a phishing email with an attachment which appeared as though it required urgent action. The email was forwarded, and its contents were downloaded which resulted in hackers accessing employee data. The ICO ruled that Interserve broke data protection law.

ICO Commissioner John Edwards stated that many businesses are not taking cyber security seriously enough. He warned, “If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

When does a personal data breach occur?

A personal data breach will occur whenever any personal data is disclosed, corrupted, lost or even destroyed. It will also occur where someone accesses the data without proper authorisation to do so. Some of the most common examples of data breaches occur as a result of human error, such as sending the personal data to the wrong email address or losing electronic devices which contain personal data.

The personal data breach which occurred with Interserve comprised HR data, which included employees’ contact details, national insurance numbers, birth dates, marital status’, education, and other personal information. Access to information of this sensitivity poses a risk to individuals’ rights and freedoms. It opens up the possibility for identity theft and other dangerous outcomes.

Complying with data protection security laws

The ICO said complacency is the biggest cyber risk, not hackers.

Due to the potential sanctions under the UK GDPR and DPA 2018, organisations need to consider security breach management as an important part of their broader risk strategy. A comprehensive data breach management plan should be implemented and supported by appropriate policies and procedures to identify and respond to data breaches. These should cover governance, detection, escalation, communications, investigation, and recovery and mediation.

In Interserve’s case, when the phishing email’s content was downloaded, Interserve’s anti-virus quarantined the malware and sent an alert. However, Interserve failed to investigate this thoroughly, which could have revealed that the hacker had access to its systems. 283 systems and 16 accounts were compromised, including a privileged account, which is one that has access to highly sensitive data. The account was used to uninstall Interserve’s anti-virus solution to prevent detection of malware. The ICO found that there were multiple failures as Interserve was using outdated software systems and protocols, and there was a lack of suitable staff training and risk assessments.

How to comply

• Regularly testing, assessing and evaluating the systems and procedures an organisation has in place to prevent data breaches. The UK GDPR concerns measures in their entirety. Therefore, the scope of an organisation’s testing should be appropriate to its own circumstances.
• Choosing a data processor that provides sufficient guarantees about its security measures.
• Building a culture of security awareness within an organisation is important. Training employees, especially those who have access to personal data, on how to identify security breaches and escalate them to appropriate individuals and teams.
• Investigating any warning of suspicious activity.
• Updating software and not using outdated systems.

Risk mitigation

Pseudonymisation and encryption could be used to reduce the impact of a breach and are specified in the UK GDPR as examples of measures that may be appropriate to implement.

Lessons for organisations

With the advancement of technology hackers are developing creative ways to infiltrate systems and organisations need to catch up by updating their systems. Even though Interserve’s data breach was a result of a phishing email being opened, it should have had strong cyber security in place to then deal with the malware.

The ICO emphasised that it is never acceptable to leave the door open to cyber-attacks especially when dealing with people’s most sensitive data. This means that organisations that are struggling financially do not have an excuse for failing to update its systems.

What to do in the event of a breach

Responding to a breach, and in particular recovering from it, is itself a part of the continuum of measures which organisations are expected to follow. See our article on notifying the ICO of a personal data breach.