UK’s Information Commissioner Fines Firm Over Inadequate Security

Updated on 2022-10-27:  Interserve fine

The UK Information Commissioner Officer levied a massive £4.4 million ($5 million) fine against Interserve, a Berkshire-based construction company, for failing to update software and train staff, which eventually led to a ransomware attack during which the data of its employees was stolen by cybercriminals. Read more: ‘Biggest cyber risk is complacency, not hackers’ – UK Information Commissioner issues warning as construction company fined £4.4 million

Overview

The UK Information Commissioner’s Office (ICO) has fined Interserve Group Limited, a facilities management outsourcing and construction firm, £4.4 million ($5 million) for failing to implement adequate security measures prior to a 2020 cybersecurity incident. Intruders gained access to Interserve’s systems and compromised information belonging to 113,000 employees. The ICO says that at the time of the incident, Interserve was running unsupported versions of Windows Server and outdated versions of antivirus software.

Note

• This is the fourth largest fine imposed by ICO. The intent is to induce careful consideration of the cyber security of business partners. When was the last time you assessed the security of services you’re using to share or process information, particularly business sensitive or regulated data? Can they demonstrate they are keeping services updated and current? Do you know how your data is separated from other customers’ data and is that sufficient? Don’t exclude your cloud services or hosted infrastructure. Consider the level of access their staff has to your data, physical and logical.

Read more in

• Outsourcer Interserve fined £4.4m for failing to stop cyber-attack
• UK Firm Fined for Poor Security Prior to Ransomware Attack