Fraud Management & Cybercrime , General Data Protection Regulation (GDPR) , Geo Focus: The United Kingdom
UK Firm Fined for Poor Security Prior to Ransomware AttackInterserve Ran Obsolete Servers and Didn't Verify Malware Deletion
Britain's data watchdog levied a 4.4 million-pound fine against a facilities management outsourcing and construction firm for a ransomware attack that exposed employee data.
See Also: The State of Email Security 2023: Cyber Risk Has Entered The Boardroom
Hackers penetrated Interserve Group Limited in late March 2020, breaching the confidentiality of four human resources databases containing personal data of 113,000 employees. The fine, which is approximately US$5 million, should "cause directors and chairmen to sit up and start asking questions of chief executives about cyber preparedness," U.K. Information Commissioner John Edwards told The Guardian.
Among the exposed data were contact details and identifying information including birthdate as well as sensitive data such as marital status, dependents and salary amounts.
The U.K. Information Commissioner's Office says the company failed to put appropriate security measures in place to prevent the intrusion, including by running unsupported versions of the Windows server operating system and using an outdated version of McAfee antivirus software.
Attackers got into company systems via a phishing email with a malicious .zip file attached. The company did not enable host-based firewalls at the time of the incident nor did it prevent macros from executing on the computer of the employee who opened the phishing email, the ICO says. The company also had 280 users with domain administration permissions, a number the ICO says was excessive. Hackers compromised 12 of those accounts.
A cybersecurity tool did detect the initial infection, but it wrongly reported the malware as having been successfully removed. The company didn't verify the tool's actions, and the attacker retained access.
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company," Edwards said in a statement.
The office cites the General Data Protection Regulation as the legal basis for the fine - a European Commission regulation that the United Kingdom incorporated as domestic law in 2018 ahead of its withdrawal from the European Union. Adherence to the GDPR is a cornerstone of a June 2021 agreement that allows commercial data flows to continue crossing the English Channel.
Members of the U.K. Conservative Party, which currently controls Parliament, have put continued adherence to the GDPR in doubt. Secretary of State for Digital, Culture, Media and Sport Michelle Donelan during the annual party conference earlier this month announced an effort to replace the GDPR with a "truly bespoke British system of data protection."
The ICO says the company didn't just violate continental standards but also its internal policies for systems management, which required it to keep servers up to date on patches and to have malware protection.
At the time of the attack, Interserve was processing personal data on 18 servers whose operating system was Windows Server 2003 R2, for which Microsoft withdrew mainstream support in 2010. Another 22 servers ran on Windows Server 2008 R2, for which Microsoft terminated mainstream support in 2015. At the time of the attack, the company also widely deployed network file sharing protocol Server Message Block version 1. Microsoft deprecated SMBv1 in 2013.
Whether Interserve pays the fine is an open question. The company is the successor of Interserve Plc, a company that went into the U.K. version of bankruptcy in March 2019. Its construction business has spun off into a company that assumed a previous Interserve corporate identity of Tilbury Douglas while its outsourcing components have been acquired by other companies.