Interserve logo on website showing government supplier cyber attack fined by UK ICO

UK Government Supplier Interserve Fined £4.4M for Failure To Stop 2020 Cyber Attack

A UK government supplier has been held responsible for unwittingly opening the door to a 2020 cyber attack that saw the personal information of some 113,000 people stolen. Construction group Interserve will pay £4.4 million, the fourth largest fine ever imposed by the Information Commissioner’s Office (ICO).

The attack stemmed from a phishing email that an employee engaged with, but the government supplier was also faulted for not following up on an antivirus alert that was generated as well as having outdated systems and inadequate staff training in place.

UK government supplier found negligent in ransomware attack

Interserve Group, a major construction firm and government supplier that employs some 53,000 people, was the target of a cyber attack in May 2020 that led to the theft of personal information of about 113,000 current and former employees. The attackers appear to have been able to penetrate deep into the company network and made off with a variety of sensitive information that could be used for theft: payroll and pension information, salaries, national health identification numbers, bank details for automated payments, and HR records paired with employee names and addresses. Compounding the issue for the government supplier was the fact that these files reportedly contained some additional categories of sensitive protected information, such as details about disabilities and health information.

That all contributed to the £4.4 million fine amount, but it’s very unclear if Interserve will end up being able to foot the bill. The company was already teetering on the edge of bankruptcy at the time of the cyber attack, and has since entered administration and is scheduled to close completely in 2024. The allowed appeal of the fine has already been exhausted with no reduction to the amount.

The cyber attack began with a phishing email that was forwarded from one employee to another, with the second employee unwittingly downloading malware to their workstation. The company’s antivirus software caught the malware and quarantined it, issuing a warning, but the ICO investigation found that the company failed to thoroughly follow up; if it had, it would have reasonably been expected to notice that the attacker continued to have access to the government supplier’s internal network.

The cyber attack ultimately compromised 16 employee accounts and 283 systems, and also eventually disabled the antivirus software. ICO found that outdated systems and software contributed to the progression of the cyber attack, along with inadequate staff training and risk assessment.

The thieves did not appear to be able to move laterally to any other systems, but the company’s status as a strategic government supplier brought on the investigation and subsequent fine. Maximum penalties in these cases are £17.5 million or 4% of global annual turnover, whichever amount is higher.

Cyber attack fine clarifies UK penalty terms

The UK has been in a transitional period in terms of cybersecurity and data protection law, as it shifts away from governance by the EU’S General Data Protection Regulation (GDPR) and to its own self-established set of rules. Though it draws on the prior GDPR rules due to the time at which it occurred, the ruling provides some indication as to what government suppliers in the country can expect if they are found negligent in a cyber attack.

Specifically, the ICO decision cited the use of outdated operating systems that were no longer capable of implementing manufacturer security updates. It also noted failures to implement appropriate endpoint protection, to properly manage privileged account access, and to regularly test and evaluate its security measures.

One of the two employees involved with the initial phishing email was found to have not received the relevant security training prior to the incident. And the other was making use of “split tunneling” to access the company network, bypassing the company’s internal access restriction gateway for convenience; the investigation noted that this was done by numerous employees throughout the company. The security team was also chastised for failing to promptly respond to the quarantined malware, as if they had there would have been adequate time to notice that it was in the process of disabling the company’s antivirus software.

The incident as a whole also illustrates how costly a relatively easily avoidable cyber attack can be, with a bill well into the millions that could have been avoided by simple improvements to employee training, or mandatory security response procedures, or a backup layer of endpoint protection. Ransomware and recovery are a massive cost, and that comes ahead of a potential fine for losing large amounts of sensitive personal information.

Chris Vaughan, VP – Technical Account Management, EMEA at Tanium, notes that a defeatist attitude toward cyber attacks can end up being a massive financial liability for any organization: “A narrative has emerged across many IT teams that attacks are becoming too sophisticated to be stopped, and that therefore their efforts should be focused on reacting to security incidents rather than preventing them. However, I would encourage them to focus more on preventative measures which can either minimize the impact of breaches or avoid them altogether. A recent Tanium report found that 90 percent of UK IT Directors agreed that ‘the majority of cyberattacks that we have experienced within our organization have been in some way avoidable’. They are avoidable because breaches are often caused by simple things such as a work device not being patched or a staff member clicking on a link in a phishing email as we saw in the case of Interserve.”

“All successful prevention strategies rely on having full visibility of the organization’s network, particularly the devices connecting to it as some will carry security weaknesses. ‘You can’t protect what you can’t see’ is very true when it comes to IT, and unfortunately, it’s a problem that many organizations face. By adopting a proactive approach which includes this visibility and staff training, organizations will reduce the number of successful attacks and the associated fines from the authorities,” added Vaughan.