On 24 October 2022, the ICO issued a penalty notice (MPN) to Interserve Group Limited (Interserve), imposing a fine of £4.4m for violations of the GDPR (the violations were pre-Brexit).
The ICO found that Interserve had failed to put appropriate technical and organisational measures in place to secure personal data (in contravention of Articles 5(1)(f) and 32 GDPR) for a period of ~20 months.
The incident followed what is proving to be a familiar fact pattern. A phishing email was sent to a group employee which was designed to appear as though the attached document needed urgent action. Subsequent download and ZIP extraction resulted in the installation of malware onto the workstation giving the threat actor access to that workstation (Patient Zero). This was flagged by Interserve’s end point protection system, which reported automatic removal of malware had been successful. Interserve took no further action to verify this, and the threat actor continued to have ongoing access to the workstation.
Following initial access, a server was compromised which was then used to “move laterally” within the Interserve estate (i.e., moving from the initial point of compromise to other parts of the victim’s IT estate). In the subsequent days, the threat actor compromised 283 systems and 16 accounts (12 being privileged admin accounts) across the estate. A privileged account was then used by the threat actor to uninstall Interserve’s anti-virus solution to prevent detection of malware used by the threat actor. The attacker then compromised four HR databases containing data of 113k employees and former employees. The databases were encrypted and rendered unavailable to Interserve. Regulatory notification followed to the NCA, the NCSC and the ICO.
The personal data held on the compromised databases comprised a common HR data set, including employees’ and former employees’: telephone numbers; email addresses; national insurance numbers; bank account details; marital status’; birth dates; education; countries of birth; genders; number of dependants; emergency contact information, and salary. The databases also held special category personal data including ethnic origin; religion; details of disabilities; sexual orientation, and health information relevant to ill-heath retirement applications. Interestingly, each of these items of information was not necessarily held for each of the 113,000 individuals, rather these categories of information were recorded in the relevant databases. Under Article 33(1) GDPR an organisation is only obliged to be able to describe the approximate categories and number of personal data records when notifying the ICO which appears to have been the approach adopted by Interserve.
Digest of points to note in the MPN
The MPN is littered with useful insights into the ICO enforcement and provides further detail around what the ICO expects with regards to the principle-based obligations in Article 5(1)(f) and 32 GDPR. We found the following points of particular interest:
- % of revenue. On the face of it, this is a sizeable fine issued to a non household name controller for perceived failings in information security. Dig a little deeper and, in fact, the level of fine appears to be a relatively small percentage of Interserve’s last reported revenues (less than 1/5th of 1%).
It is nevertheless a significant amount of money and the reputational damage arising from a public fine was also taken into consideration by the ICO when setting the fine. The fact that the fine is a relatively small percentage of revenues may indicate that the new ICO John Edwards, favours a less aggressive approach to enforcement than his predecessor Elizabeth Denham, at least when it comes to setting the level of fine. Lower fines are also less likely to result in successful appeals and tie up the ICO’s enforcement team with legal arguments.
A key open legal question remains whether the correct maximum fine when calculating fines under the UK GDPR (NB this MPN was issued under EU GDPR) is either a) the greater of 2% of turnover or £8.7 million; or b) the greater of 4% of turnover or £17.5 million (in each case where turnover is total worldwide annual turnover of the preceding financial year). The ICO has previously taken the position that the higher limit applies though this has not yet been tested on appeal and there are good arguments that the lower maximum should apply.
- One group controller to rule them all: Interserve was held to be the relevant controller for the purpose of enforcement, regardless of the fact the incident and the security failings were applicable across numerous group companies. Interserve was the parent company, it was responsible for info-sec for the group and employed individuals working in information security. Enforcement against multiple entities in the same group is complicated and time consuming. It is much simpler for the ICO to target the parent company when that company is responsible for info sec for the entire group.
- Paper based compliance represents a small and incomplete part of the picture. Central to the decision (and another identified recurring point of failure) was that Interserve had extensive info-sec policies and standards however these policies were not implemented nor were they subject to appropriate oversight (despite the fact the exec were aware of issues with the Interserve estate). While policies and procedures are an essential part of any compliance programme as the “paper shield”, without the resources and budgets needed to implement and oversee them effectively, they can become a liability for controllers providing an easy way for regulators to prove breach. Employee training remains a key consideration for the ICO in the context of post incident enforcement. The Interserve MPN is yet another reminder of the importance of regular and effective training.
- Period for assessing duration of infringement / enforcement: the “relevant period” for the ICO’s assessment around the duration of the infringement was held to start at the time Interserve became the relevant controller (following the winding up of another group company) and did not end until remediation was complete. This emphasises the importance of remediating any gaps in security measures promptly to meet the legal standard of care. Any delay to remediation will extent the duration of the infringement, aggravating the risk of fines and also potentially compounding losses caused to data subjects. The MPN also provides an insight into the timing of, and procedural steps around, ICO enforcement. The Notice of Intent was not served on Interserve for almost 2 years after the Article 33 notification was made to the ICO. A month later, Interserve provided written representations in response to that notice. The ICO updated the notice and invited supplemental representations, which were made by Interserve. The final procedural step was an ICO meeting ~4 weeks before the MPN was published.
- What was the risk of harm to the individuals? an eagle-eyed reader may question what was the risk to the data subjects here? There was no evidence of exfiltration, and one view may be that the threat actor applied encryption in an attempt to extort money from or cause nuisance to Interserve rather than to cause harm to the individuals (e.g., fraud).
The ICO found that all the data subjects had their personal data processed unlawfully and the processing had the potential for concern, anxiety and stress, due to: (a) data had been accessed by criminal actors with malicious intent; (b) the personal data compromised included data which was commonly used to facilitate identity/financial fraud (home addresses, bank account details, pay slips, passport data and national insurance numbers); (c) special category data was compromised – it is particularly sensitive (per Recital 51). Employees may be content to share with their employer, they would not want this data accessed by malicious individuals: (d) compromised data included salary details, which enables social and financial profiling which is dangerous in the hands of threat actors; (e) while there was no evidence of exfiltration, the ICO could not rule out this possibility and the risks of exfiltration remain significant as privileged accounts could exfiltrate data / advanced groups can prevent detection of exfiltration / measures that can identify exfiltration (firewall filtering and logging) were not implemented until after the incident.
- What should you be discussing with your Info-Sec team? While the ICO MPN does not necessarily reflect the legal standard of care (as the ICO does not make the law) it is an indication as to the ICO’s view as to the legal standard of care at the date of the incident. In particular, the ICO considers that the following gaps and deficiencies fell short of the legal standard of care required by Articles 5(1)(f) and 32 GDPR:
- outdated operating systems/protocols;
- inadequate end point protection (outdated / firewalls not enabled);
- no pen tests conducted for two years prior to the incident;
- inadequate investigation by the info-sec team; and
- poor privileged account management.
It would be prudent for organisations to check that their own IT estates do not suffer from the same shortcomings. As with previous decisions regulatory guidance/standards (NIST / NCSC) continues to be an appropriate benchmark. The MPN strongly implies that Interserve spent considerable amounts to remediate in accordance with ICO expectations. Remediation before a cyber incident is invariably less costly, stressful and damaging to an organisation’s reputation and balance sheet compared to remediation after a cyber incident.
We continue to frequently advise clients both on incident response together with pro-active cyber assurance and resilience. If you need any advice in this area, please do reach out to your DLA contact.
Authors: Ross McKean (Partner and co-chair of the UK data protection and cyber security practice) and Henry Pelling (Senior Associate in the DLA data protection and cyber security practice).