Complacency could land you in serious trouble!

Interserve has been issued with a £4.4 million fine by the ICO as a result of their failure to keep up to 113,000 employee’s personal data secure.

A phishing email was shared between employees, one of which viewed and downloaded the contents of the email and resulted in malware being installed on the employer’s system. Interserve’s anti-virus software alerted them of suspicious activity but they failed to adequately investigate the alert.

Their failure to investigate the alert resulted in the hackers obtaining employee’s personal data including contact details, national insurance numbers, bank account details and special category data such as the ethnic origin, religion, disabilities, sexual orientation and medical information of employees.

The ICO’s investigation concluded that Interserve failed to follow up on the anti-virus alert, had outdated software and protocols in place, and had failed to adequately train staff which ultimately left them exposed to a large scale cyber-attack.

Take away points

The fine is significant and is one of a long line of fines issued by the ICO to companies who have committed serious data breaches.  EasyLife Ltd were issued with a £1.35 million fine for unlawfully using the personal data of 145,000 customers to target them with health related products, and a further fine of £130,000 after making over 1 million direct marketing calls. The ICO also intends to issue a £27 million fine to a social media provider for failing to protect children’s privacy.

John Edwards, the ICO Commissioner said:

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

Companies own complacency leaves them exposed and vulnerable to future cyber-attacks, and is a very costly mistake to make.

What can you do to minimise the risk of a cyber-attack:-

  • Regularly monitoring for suspicious activity;
  • Fully investigating any suspicious activity alerts;
  • Regularly updating internal systems and software;
  • Providing regular training to staff to highlight risks and key warning signs;
  • Encouraging the use of secure passwords and implementing multi-factor authentication;
  • Updating internal policies and procedures and ensuring regular risk assessments are carried out.
  • If you have any queries or would like data protection advice from our experienced team of solicitors, call our Data Protection team on 0333 323 5292.



    Sign up for our newsletter

    Please fill in the form below to receive legal updates and seminar invitations from our expert solicitors – straight to your inbox.


    By signing up, you agree to our terms and that you have read our privacy policy.