On 24 October 2022, the UK Information Commissioner’s Office (“ICO”) fined Interserve Group Limited £4.4 million for failing to implement appropriate technical and organisational measures to safeguard 113,000 individuals’ personal data in company HR databases.
Here we outline what went wrong and lessons for businesses about how to manage the risk of similar incidents and regulatory enforcement action.
What happened?
Interserve is the parent of a group of UK-headquartered construction companies. According to the ICO, following a successful phishing attack, the threat actor installed a remote access tool on an Interserve employee’s workstation. From there, the threat actor moved laterally to other systems and uninstalled Interserve’s antivirus software. In total, the threat actor accessed 283 systems and 16 accounts across four domains, and encrypted four HR databases containing personal data relating to up to 113,000 employees. This included contact details, bank account information, marital status, birth date, education history, country of birth, gender, emergency contact details, and salary, as well as special category data, including ethnic origin, religion, details of disabilities, sexual orientation, and health information.
The ICO found various failings in Interserve’s technical and organisational measures, including:
- use of unsupported operating systems with known, unpatched vulnerabilities;
- inadequate end-point protection, including a lack of host-based firewalls, “allow or deny” lists, macro prevention, and up-to-date antivirus screening
- no penetration testing in the two years prior to the incident;
- failure to ensure all employees received data protection training;
- widespread use of SMB version 1: an outdated and vulnerable shared access communication protocol;
- insufficient incident investigation practices, including a failure to verify that the malware that led to the incident had been removed after antivirus software had incorrectly reported its successful removal; and
- overbroad privileged account management: over 280 users were included in the domain administration group with wide permissions including, in some instances, to uninstall antivirus software.
What can others learn from the breach?
1. The importance of risk assessments. Risk assessments are a core element of a robust information security program. The ICO’s decision highlights Interserve’s failure to keep track of, and mitigate, cyber risk. Building on the ICO’s findings, businesses may want to ensure that their risk assessments verify, among other things, that:
- operating systems and software are up-to-date and any known-vulnerabilities have been addressed or a remediation plan is in place;
- appropriate endpoint detection systems and host-based firewalls are used and correctly configured;
- penetration tests are performed regularly and findings acted upon; and
- other technical controls, such as macro-prevention and “allow or deny” lists are implemented, as appropriate.
Businesses may also want to ensure that, where appropriate, their technical and organisational measures align with leading industry standards (e.g., ISO27001 or NIST), National Cyber Security Center, ICO or other law enforcement and regulatory guidance, and advice from vendors and commercial threat intelligence providers.
Importantly, the ICO’s decision emphasises that the cost of implementing additional technical protections is—in its view—not relevant to the appropriateness of technical measures if the measures are otherwise proportionate to the risks.
For in-house counsel or compliance teams, taking the time to review a risk assessment and map the results of the assessment to regulatory frameworks and enforcement actions such as the one discussed herein can be invaluable. Aside from ensuring compliance, this represents an opportunity to deepen relationship with information security teams. For an illustrative view of mapping cyber frameworks to regulations, take a look at the Profile provided by the Cyber Risk Institute.
2. Training is a regulatory expectation. The ICO penalty highlights that training remains critical to managing cyber risk. Ideally, training should be responsive to businesses’ specific organisational risks identified through risk assessments. Businesses may want to consider implementing processes to ensure employees and contractors at every level receive regular and robust training and that participation is monitored, and where gaps exist, enforced. General training can be supplemented by practical exercises such as in-depth cybersecurity tabletop exercises and phishing tests. It is important that training is revised as business processes evolve and legal and regulatory requirements change, and that issues identified through training are escalated for remediation.
3. Effective management oversight is required. The ICO’s decision stresses the need for effective management engagement in IT security, finding that Interserve’s senior management had insufficient oversight of whether its policies were adhered to in practice, and of the systems and software used. This reflects a broad convergence amongst regulators, and in legislation globally, on the importance of senior (including board level) cyber oversight. Ensuring that senior management is trained appropriately on, and receives regular briefings and updates about, actual and potential cyber risks is key. Tabletop exercises can be a highly effective way to both educate senior management of cyber risks and also give them oversight of existing incident response policies and procedures.
To subscribe to the Data Blog, please click here.