The data of 113,000 employees of the company were in the hands of cybercriminals.
The UK Information Commissioner's Office (ICO) has fined Berkshire-based construction group Interserve £4.4 million ($4.9 million) after a cyberattack that resulted in unknown hackers using a phishing email to get to the personal details of 113,000 employees.
It all started in May 2020, when an Interserve employee forwarded a phishing email to a colleague, who then downloaded it and accidentally installed malware on the company's workstation. After that, the cybercriminal compromised 283 systems and 16 accounts, removed the company's antivirus solution, and encrypted the personal data of 113,000 employees.
The company is accused of failing to adequately protect the data of its employees. The phishing email was neither blocked nor quarantined on the company's system, and even when the malware was detected by the antivirus solution, Interserve did not investigate further.
According to the ICO, the attacker gained access to employee contact information, social security numbers, bank account information, and other personal information (ethnic origin, religion, disability information, sexual orientation, health information). In addition, the ICO found that Interserve violated data protection laws by failing to properly train employees, provide technical safeguards, and use outdated software systems and protocols.
The fine imposed on Interserve was the fourth largest fine ever imposed by an ICO. Information Commissioner John Edwards says the fine should serve as an example for other companies trying to save money on cybersecurity specialists, employee training and antivirus solutions.
Comments 0