£4.4 million fine issued to firm for breach of its own staff’s data

Retail and manufacturing company Interserve Limited has received a £4.4 million fine for failing to implement appropriate security measures to protect the data of its employees.

What are organisations required to do to protect data under the UK GDPR?

Under Article 5(1)(f) and Article 32 of the UK GDPR, organisations are required to implement appropriate technical and organisational measures (“OTMs”) to ensure the safety and security of personal data. These OTMs can include measures such as encrypting data, implementing training and processes and undertaking data protection impact assessments.

How did Interserve breach these requirements?

The ICOs investigation uncovered that Interserve did not have appropriate OTMs in place to prevent a cyber-attack, which led to a phishing email to allow hackers to access the personal data of up to 113,000 employees in May 2020. This data included information such as contact details, national insurance numbers, and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation, and health information.

Phishing emails contain links or attached files which, when clicked, will download viruses or other malware that can allow cyber-attackers to access the organisation’s entire network. These emails are often disguised to look as though they are from a known colleague, customer, or supplier.

The email was forwarded by an employee, and was not blocked by Interserve’s security systems, and the content was downloaded which installed malware onto the employee’s system. The ICO found that although Interserve’s anti-virus software detected the malware, the company did not thoroughly investigate the suspicious activity.

Lessons learned

The above example serves as a stark reminder to organisations that the safety and security of data is of paramount importance, and that a lack of training and other measures, mixed with employee complacency can lead to significant fines from the ICO. John Edwards, the UK Information Commissioner as warned of ‘similar fines’ for organisations that do not properly train staff, update software, or fail to act on warnings.

The maximum fine under the UK GDPR is the higher of £17.5 million or 4% of the organisation’s total annual worldwide turnover, highlighting the potential significant impact of a failure to implement appropriate OTMs.

Please note that this information is for general guidance only and should not substitute professional legal advice. If you have specific concerns, we recommend consulting one of our legal experts.