- La colaboración entre Seguridad y FinOps puede generar beneficios ocultos en la nube
- El papel del CIO en 2024: una retrospectiva del año en clave TI
- How control rooms help organizations and security management
- ITDM 2025 전망 | “효율경영 시대의 핵심 동력 ‘데이터 조직’··· 내년도 활약 무대 더 커진다” 쏘카 김상우 본부장
- 세일포인트 기고 | 2025년을 맞이하며… 머신 아이덴티티의 부상이 울리는 경종
UK Construction Biz Fined £4.4m for Serious Security Failings
A British construction company has been fined over £4m ($4.5m) by the data protection regulator after a series of security failings allowed a hacker to steal and encrypt the personal information of 113,000 current and former employees.
The Information Commissioner’s Office (ICO) has the power to fine organizations up to £17.5m ($20m) or 4% of total global annual turnover, whichever is higher, under the GDPR and the UK Data Protection Act 2018.
It claimed that Berkshire-based Interserve Group had failed to put appropriate security measures in place to guard against a ransomware attack. This led to the theft of a large range of sensitive employee information including contact details, national insurance numbers, bank account details, as well as details of any disabilities, sexual orientation, ethnic origin, religion and health information.
It explained that a phishing email was opened by an employee after being forwarded by a colleague. The worker unwittingly downloaded malware to their machine which was flagged for attention by the company’s antivirus (AV) software.
However, the follow-up investigation was not thorough enough, enabling the threat actor to access 283 systems and 16 accounts, and to uninstall the company’s AV solution, the ICO said.
The data was encrypted and stolen, although there’s no information on whether Interserve paid its extorters.
According to the regulator, Interserve:
- Failed to follow-up on the original suspicious activity alert
- Used outdated software systems and protocols
- Had a lack of adequate staff training
- Ran insufficient risk assessments
The £4.4m sum is the final fine amount, with the ICO not changing its initial “notice of intent” figure following representations from Interserve.
The ICO urged all companies to learn from this case to avoid serious compromise. To better safeguard people’s data, it said organizations should:
- Regularly monitor for suspicious activity and investigate any initial warnings
- Update software and remove outdated or unused platforms
- Update policies and secure data management systems
- Provide regular staff training
- Encourage the use of secure passwords and multi-factor authentication