Security News > 2022 > October > Gone phishing: UK data watchdog fines construction biz £4.4m for poor infosec hygiene

Britain's data watchdog has slapped construction business Interserve Group with a potential £4.4 million fine after a successful phishing attack by criminals exposed the personal data of up to 113,000 employees.

The Information Commissioner's Office said the Berkshire-based company failed to exercise good security hygiene, missing alerts and more, and so was deemed to have broken data protection laws.

The anti-virus in use quarantined the malware and dispatched an alert, but Interserve "Failed to thoroughly investigate the suspicious activity," and doing so might have revealed the bad actor had obtained access to company systems.

"Personal data of up to 113,000 current and former employees was encrypted and rendered unavailable," the ICO said in a statement.

A subsequent probe by the data regulator found a litany of errors made by Interserve - including not responding to the initial alert of suspicious activity, using outdated software systems and protocols, a lack of suitable training for staff and insufficient risk assessments.

The ICO has served Interserve with a notice of intent - a legal document that comes before a fine.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/25/gone_phishing_uk_data_watchdog/