calypso77 - stock.adobe.com

Complacency biggest cyber risk to UK plc, says ICO

Information commissioner John Edwards warns against complacency as his office issues a multimillion-pound fine to a building company that failed to prevent a ransomware attack

It is organisational complacency, rather than the specific actions of cyber criminals and other threat actors, that poses the greatest source of risk to British businesses, information commissioner John Edwards has warned.

Speaking as the Information Commissioner’s Office (ICO) fined construction firm Interserve £4.4m over a 2020 ransomware incident that saw the data of 113,000 employees stolen, Edwards said that companies are exposing themselves to attack by ignoring crucial measures such as patching and staff training.

Interserve was targeted by unspecified cyber criminals in early 2020. The incident was notified to the ICO and its subsequent investigation found that the breach originated via a phishing email which was not quarantined or blocked by the victim’s security systems.

Cyber criminals were able to encrypt and steal the personal data of Interserve’s employees, including contact details, national insurance numbers, bank details, as well as information on ethnic or religious background, health and disabilities, and sexual orientation, after the recipient of the phish – working from home during the UK’s first Covid-19 lockdown – forwarded it to a colleague who opened it and downloaded its content, granting the gang access to Interserve’s IT estate.

The ICO said that because the employees were accessing Interserve’s systems via a split tunnelling method, the person who clicked on the link in the email did not go through the company’s Bluecoat internet gateway system which would have restricted access. One of the two employees was also found to have not undertaken security training.

In the course of the attack, 283 systems and 16 accounts were compromised, and the company’s antivirus solution was uninstalled.

Human error was further compounded in this instance when Interserve’s antivirus solution did quarantine the malware and alerted its security team, which failed to properly investigate the activity, believing the incident to be contained. Had it looked more closely, the incident would likely have been resolved in short order as Interserve would have found that its attacker had achieved persistence and was, in fact, in the process of disabling the antivirus.

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office,” said Edwards.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”

The ICO investigation found Interserve failed to follow-up on security alerts, used outdated software systems and protocols, and had not put in place adequate staff training or conducted sufficient cyber risk assessments. It ruled that Interserve broke data protection law by “failing to put appropriate technical and organisational measures in place to prevent the unauthorised access of people’s information”.

It should be noted that after getting into financial difficulties, Interserve went into administration owing over £100m a year prior to the incident, before being “rescued” in a pre-pack deal and some of its business units sold off.

As such, Computer Weekly understands the fine – which can be appealed but otherwise must be paid by 21 November 2022 – is to be levied against the successor company Interserve Group Ltd, which is now the parent organisation.

The ICO’s self-described “robust but fair” approach to levying fines continues to apply to companies in administration, with the organisation empowered to offer options such as payment plans if debtors are experiencing genuine financial hardship. In the case of those that can or will not pay, the body is empowered to take formal recovery actions that can result in insolvency. In instances where directors may seek to avoid payment by going into insolvency it is also able to exercise its legal rights as any other creditor would.

“Cyber attacks are a global concern, and businesses around the world need to take steps to guard against complacency,” Edwards went on.

“The ICO and NCSC [National Cyber Security Centre] already work together to offer advice and support to businesses, and this week I will be meeting with regulators from around the world, to work towards consistent international cyber guidance so that people’s data is protected wherever a company is based.”

Later this week, Edwards will be attending the 44th Global Privacy Assembly in Turkey, which will convene more than 120 data protection and privacy bodies from around the world. At the event, he will present a resolution calling for deeper international collaboration in the service of cyber resilience.

Read more about the ICO’s work

  • Whistleblower calls for NatWest to pay the Information Commissioner’s Office annual data controller fee, as the personal details of 1,600 current and former NatWest customers remain under her bed.
  • Data protection experts question ICO’s selective approach to publishing formal reprimands for contravening the law, after FoI request reveals the Cabinet Office was among the organisations reprimanded.
  • Information Commissioner’s Office sets out commitment to safeguard the information rights of the most vulnerable people in UK society.

Read more on Data breach incident management and recovery