The fine follows a breach of data protection law in May 2020 when the company failed to put appropriate security measures in place to prevent the cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email.
The compromised data included personal information such as contact details, national insurance numbers, and bank account details.
The ICO said: “An Interserve employee forwarded a phishing email, which was not quarantined or blocked by the company’s system, to another employee who opened it and downloaded its content.
“This resulted in the installation of malware onto the employee’s workstation.
“The company’s anti-virus software quarantined the malware and sent an alert, but Interserve failed to thoroughly investigate the suspicious activity. If they had done so, Interserve would have found that the attacker still had access to the company’s systems.
“The attacker subsequently compromised 283 systems and 16 accounts, as well as uninstalling the company’s anti-virus solution. Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable.
“The ICO investigation found that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber attack.”
The ICO issued Interserve with a ‘notice of intent’ – a legal document that precedes a potential fine. The provisional fine amount was set at £4.4m. Having carefully considered representations from Interserve, no reductions were made to the final fine amount.
Interserve plc went into a pre-pack administration in March 2019 and was rebranded as Interserve Group. A break-up followed with Interserve’s facilities management business sold to Mitie in December 2020 and RMD Kwikform sold in October 2021 to Altrad.
In March 2021 Interserve rebranded its construction and engineering business as Tilbury Douglas.
An Interserve statement said: ‘”Interserve has worked extensively with the Information Commissioner’s Office (ICO) and the National Cyber Security Centre since first reporting the cyber incident in May 2020.
“Interserve strongly disputes that its staff and the company’s response were in any way complacent.
“Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff.
“It also sought to reduce the risk of future incidents and successfully facilitate the safe and effective ongoing operations of Tilbury Douglas and the facilities management business acquired by Mitie Group PLC.
“Interserve will continue to prioritise the interests of its past and present staff, counterparties and other stakeholders while engaging with the ICO to resolve their investigations”
