A 2020 ransomware incident involving Interserve, a construction firm and UK government supplier, has established something of a legal precedent as the company has been hit with one of the country’s largest fines for its negligence in the matter. The Information Commissioner’s Office (ICO) ruled that systemic failures in company defenses were responsible for the theft of over 110,000 records containing personal data.
The incident provides some insight for other government suppliers and vendors operating in the UK. Substantial fines may be levied if employees are not properly trained to handle phishing attempts, if antivirus systems are not properly configured or attended to, or if operating systems are outdated to the point of no longer receiving security patches, among other possibilities.
Major fine for negligence in cyber attack as employees, IT defenses judged not up to snuff
Since the incident took place in 2020, the government supplier was fined under the prior General Data Protection Regulation (GDPR) rules that the UK formerly shared with the EU. However, the country’s new rules regarding cyber attacks are not all that different and organizations can reasonably expect similar judgements going forward.
The fine total was the fourth largest ever issued in the UK, but the components that enabled the cyber attack are fairly common to all sorts of organizations. One is a lack of employee security training regarding phishing emails, which is how the attackers initially broke in. Another is the presence of outdated operating systems in the company that were too old to be supported and receive security updates, which the attackers were able to leverage as they moved through the network.
The ICO ruling also noted that the company did not have an adequate level of endpoint protection in place, did not regularly test its security measures, and allowed employees to “split tunnel” into the internal network to evade usual login procedures. But perhaps the single biggest contributor to the judgment against the government supplier was the security staff’s failure to respond to a warning from the antivirus/antimalware system.
Despite the apparently poor general state of security, the company’s antivirus software detected the malware when the employee downloaded it and quarantined it while generating a warning for IT staff. This warning was apparently ignored long enough that the malware was able to take down the antivirus system.
Government supplier draws 4th largest penalty for security oversights
The cyber attack on Interserve leaked information about the company’s current and former employees; it employs about 53,000 people at present and apparently had records on at least 60,000 people that had previously worked for the company. The files stolen included salary information, payroll, pension files, health identification numbers, and HR records. The most disturbing element for employees is that bank account numbers associated with automatic payments also appear to have been exposed.
The large fine appears to be deserved, at least according to the terms of UK law, given how much sensitive financial information was exposed in the cyber attack and how many points of basic security failure were involved. However, Interserve may not end up paying it. The company has been in administration since 2019 and is scheduled to fully dissolve in 2024, with its surviving parts being sold off individually. UK law calls for the fine to be paid in November, and it is doubtful Interserve has the resources on hand to do so.