The Leading News & Information Service For The Facilities, Workplace & Built Environment Community

Interserve Fined £4.4m for Failure to Keep Staff Details Secure

Interserve Fined £4.4m for Failure to Keep Staff Details Secure
24 October 2022

The UK’s IT security watchdog has fined Interserve for breaching data protection law and failing to prevent a cyber attack.

The Information Commissioner’s Office (ICO) said that the construction company failed to process personal data in an appropriately secure way, making their systems vulnerable to a cyber attack.

The cyber attack incident took place in spring 2020 when a staff member forwarded a phishing email to another employee, who opened it and downloaded its content, resulting in malware being installed on that employee’s machine.

Neither employee had received any data protection training despite internal security policies, and industry standard ISO27001 requiring that all employees receive regular awareness training on the subject.


"The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company."

–John Edwards

UK Information Commissioner, Information Commissioner’s Office


Compromised Databases of Sensitive Staff Information from Phishing Email


Interserve’s systems not only failed to block the phishing email, but the company’s subsequent actions also put its IT infrastructure at further risk.

The company’s anti-virus system quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity, meaning the attacker still had access to the company’s systems without Interserve's knowledge.

The report also demonstrated that the majority of Interserve’s servers were running on an outdated McAfee anti-virus protection product.

The incident affected the personal data of up to 113,000 Interserve employees, including sensitive information such as bank account details, salary, emergency contacts, sexual orientation and details of disabilities.

John Edwards, UK Information Commissioner, said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.

“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”

Picture: a photograph of a computer keyboard with a padlock placed on top. Bank cards can also be seen. Image Credit: Unsplash

Article written by Ella Tansley | Published 24 October 2022


Related Articles

NHS IT Services Supplier Victim of Ransomware Attack

It has been confirmed that a ransomware attack is causing a major outage for NHS IT systems. Services affected include software used by NHS 111 and other patient notes...

 Read Full Article
Smart Buildings at Increased Risk of Cyber Attacks, Says Verdantix

The operational technology that powers connected devices across building systems is providing more entry points for cyber criminals to exploit, says research and advisory...

 Read Full Article
Cybersecurity – Are Smart Buildings and its Data Vulnerable to Malware Attacks?

As more and more of a building’s functions are automated and controlled via smart technology systems, has cybersecurity been an afterthought? In 2020, Boris...

 Read Full Article
Working Securely Online – Cyber Hygiene

With more people working on the internet outside of monitored business networks, the risks of compromising company and personal data are increased. Concentration is...

 Read Full Article
Interserve – The Latest

It was reported that in mid-May that Interserve was involved in a cyber attack, involving the theft of information on current and former Interserve...

 Read Full Article
More Global FM Firms Hit By Cyber Attacks

EMCOR Group and Bouyges are the latest FM companies targeted by malicious software attacks.  The website of EMCOR Group, the global providers of facility...

 Read Full Article
Facial Recognition Now Available - But Trouble Brewing Ahead

A commercially available facial recognition system has just been launched. Meanwhile, developer Argent could be in hot water for using LFR and both the ICO and a...

 Read Full Article
Who Is The Weakest Link?

According to Sophos, 70% of internet users have the same password for almost all the web services they use - and there are groups of businesses and individuals who are...

 Read Full Article
Interserve - Basic Failings In Basic Maintenance. Troubled Firm Hit With Huge Bio Hazard Fine

Emergency generators failed and one caught fire when they were called in to use. Interserve has been fined after multiple safety failings could have caused a serious bio...

 Read Full Article
Reported Ransomware Incidents in UK Doubled in 2023

A Freedom of Information request has revealed that there was a resurgence in ransomware-related incidents following a quieter 2022.   In the first six months...

 Read Full Article