Construction firm Interserve was the latest target of the Information Commissioner’s Office (ICO)’s ongoing enforcement spree, following a 2020 phishing attack that compromised the personal data of up to 113,000 people.
The incident began with an extremely common security violation—one employee inadvertently forwarding a malicious email to another—and ended with a £4.4 million fine, issued on Monday.
In a landscape where social engineering remains one of the foremost security threats, one particularly interesting aspect of the case is the ICO’s finding that a failure to implement staff training policies contributed to Interserve’s violation of the UK GDPR.
The incident arose when Interserve received an email to its shared inbox that was designed to look like an urgent invoice payment request. The email included a link that led to a zip file containing a malicious script.
One employee forwarded this email to another employee, who then followed the link, downloaded the zip file and executed the script. The script installed malware onto their computer, allowing the attacker to gain access.
Interserve did have some technical controls in place designed to prevent or mitigate such attacks, but unfortunately, these failed in this instance.
The employee was remote working and could access the company’s systems via split tunnelling. This meant access to the link circumvented Interserve’s internet gateway.
Interserve’s endpoint security software reported that it had removed some of the unzipped malware files. However, the attacker retained access to the employee’s workstation.
A few days after the initial incident, the attacker gained access to one of Interserve’s servers, and then gained access to further systems. The following month, an attacker compromised 283 systems and 16 accounts.
The attacker encrypted the personal data of up to 113,000 people (this included “special category data” about health, sexual orientation and religious belief), rendering it unavailable to Interserve.
While there is no evidence that the data was exfiltrated, the Commissioner states that the possibility “cannot be ruled out” and that individuals “do not know if or how they may be targeted in future”, for example by identity theft.
Policy and Practice
Interserve did have technical protections in place, several of which were circumvented by the attacker.
However, as this was a social engineering attack, a major focus of the investigation was on whether the company’s staff received adequate training.
The ICO notes that while Interserve had an internal “Information Security Training” policy, one of the two employees who fell victim to the attack had not received training.
Interserve’s policy stated that employees would be trained in “how to protect information correctly” and “develop and apply information security controls”. The training was supposed to “target all colleagues and other business users”.
The ICO also cited the security framework ISO 27001, which requires “all employees” and contractors to receive “appropriate awareness education and training”, and NIST 800-50 which requires organisations to ensure “all individuals” are appropriately trained in security.
Furthermore, the ICO cites two guidance documents from the National Cyber Security Centre (NCSC), both of which recommend that organisations provide security training (but which do not explicitly mention that such training should be provided to “all” employees).
Is Training Always Effective?
Recall that there were two employees involved in the social engineering element of this incident:
Employee A, who opened a malicious email with a link to a zip file containing a script, and who forwarded the email to employee B
Employee B, who followed the link, opened the zip file and ran the script
Interestingly, it was employee A who had not received security training.
“This deficiency exposed Interserve to risks of the kind giving rise to the Incident,” the ICO states.
However, employee B, whose security violation was arguably more serious, had received the training.
It is therefore questionable whether, had employee A undertaken the same course of security training as employee B, the incident would have been prevented.
Previous ICO Recommendations
While this was Intererve’s first ICO investigation, the company had reported data breaches to the ICO twice before. Both incidents occurred in 2019.
On both occasions, the ICO notes, the Commissioner directed Interserve to “review the Commissioner’s GDPR security guidance”.
Following one of the two reported data breaches, the ICO provided Interserve with advice on “the importance of employee training in respect of managing phishing attacks”.
Should Have Known Better?
Having an “all-staff data protection and information governance training programme” in place is listed on the ICO’s website as being one of the ways to meet the regulator’s expectations.
Interserve had such a programme. However, the fact that Interserve had a training programme in place—but failed to ensure every employee had undertaken the training—appears to have made the situation worse for the company.
The regulator states that Interserve “ought reasonably to have been aware” of the risks of training every member of staff before allowing access to the company’s “IT system”, because:
“…the importance of training employees was well-known and documented”
“Interserve’s own policies required training of all employees”
The ICO deemed this a “failure to implement appropriate and effective information training” that “contributed to a breach” of the UK GDPR’s “integrity and confidentiality” principle at Article 5(1)(f).
Walk the Talk
There are several elements of the Interserve fine that require further exploration. Jakub Krupa of MLex tells me that the company strongly disputes the ICO’s allegations and argues that the regulator failed to follow the proper processes.
However, as it stands, there is at least one important takeaway from this decision: It’s not sufficient to create and maintain internal security policies—you must also ensure you continually review and implement these policies to mitigate security risks and regulatory action.