The ICO has fined Interserve £4.4 million, which is about $5 million, due to the data breach compromising the financial and personal data of 113,000 employees. Here is how the attack occurred, the lost data, why Interserve was fined, and how organizations can avoid a similar fate by investing in anti-phishing solutions.
Phishing awareness and anti-phishing measures have become the need of the hour, thanks to the rising cases of phishing cybercrimes. It would seem that organizations now have no choice but to provide adequate cybersecurity measures or face legal consequences.
The latest issue came to light when the Construction group Interserve was fined £4.4 million following a phishing cyberattack that resulted in the loss of personal and financial information of its workforce. Let us look into the organization, how the cyberattack took place, why the British data watchdog fined the organization, and why anti-phishing measures are what every organization needs.
What is Interserve?
Interserve is a construction and support services organization based in Berkshire. The organization started in 1884 and has served clients worldwide, providing professional services, construction equipment for sale and hire, and other construction services. Interserve is currently making headlines worldwide after being fined for losing the personal and financial information of 113,000 employees.
Interserve Data Breach at a Glance
Interserve’s outsourcing business was hit in 2020. Considered a strategic government supplier with multiple federal agencies as its clients, even the Ministry of Defence, Interserve suffered a data breach that led to the exposure of data of over 100,000 employees.
Threat actors infiltrated the HR (Human Resources) database, which was also used to build the Birmingham Nightingale Hospital, stealing the information of current and former Interserve employees in May 2020. Interserve was considered a “strategic supplier” to the US government and maintained multiple educational institutions, hospitals, and transportation networks across the country. Interserve’s spokesperson provided the statement in 2020, explaining how the organization was the target of a cybersecurity attack and will work closely with NCSC (National Cyber Security Centre) and Strategic Incident Response teams to investigate and contain the cyberattack and remedy the situation.
The personal information stolen during the data breach included financial details such as bank account numbers and national insurance numbers, opening the employees up to financial and insurance fraud. Furthermore, the personal information such as sexual orientation, religion, ethnic origins, employee names, residential addresses, payroll information, next of kin, HR records, pension, and absence information. Such data is precious to cyber criminals who may use it to target relatives, conduct impersonation scams, and sell personal information on the dark web for threat actors to exploit.
The Phishing Attack at Interserve
On close investigation, it was discovered that Interserve’s system did not perform as it should and failed to stop a phishing email. An employee downloaded a phishing email that was not marked as spam and downloaded the malicious content, leading to the installation of malware on the employee’s system. Furthermore, Interserve’s anti-virus quarantined the discovered malware and sent out alerts that were not investigated by Interserve adequately, leading to a vast cyberattack reaching 283 systems and 16 accounts. The compromised systems and accounts were exploited as the information of 113,000 current and former employees were encrypted after the phishing delivered malware uninstalled Interserve’s anti-virus on affected systems.
Interserve was using outdated software and protocols in conjunction with a lack of proper staff awareness and training. Paired with insufficient risk assessments, the organization suffered a significant data breach.
The UK Information Commissioner, John Edwards, highlighted the data breach’s severity and said, “This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.”
John added that leaving an open invitation to threat actors is unacceptable for any organization, especially those dealing with the sensitive or financial information of individuals. One of the significant cyber risks that businesses face comes not from threat actors or hackers outside an enterprise but complacency within the said enterprise.
How did Interserve Respond to the Phishing Attack?
Interserve shared its responses, providing details of the organization’s crisis response team launched after the cyberattack with new business continuity plans that went into the implementation phase.
Interserve stated that all remedial work was completed by 24 August 2020 with no residual threats residing in its systems, and the organization appointed a new CIO (Chief Information Officer). Interserve also clarified that it fulfilled all obligations to the ICO (Information Commissioner’s Office) and cooperated with the office throughout the investigation.
ICO’s £4.4 Million Fine on Interserve
The ICO fined Interserve £4.4 million on the grounds of failure to keep the personal information of 113,000 current and former workforce safe. Following the data breach of 2 May 2020, the ICO believes that with adequate cybersecurity measures, the cyberattack that led to the data breach could have been avoided, a statement that Interserve does not agree with.
Had Interserve investigated the suspicious activity, the organization would have discovered the threat actors moving freely within its systems. Since Interserve broke the data protection law by failing to put adequate technical measures in place and to protect its employees’ financial and personal information from unauthorized access, the ICO issued a notice of intent to Interserve, highlighting the potential fine with a provisional fine amount of £4.4 million after “carefully considering the representations” from Interserve.
How does Anti-Phishing Come into play?
Anti-phishing measures are the need of the hour since avoiding phishing emails or marking such emails is a straightforward task. Had Interserve invested in ample anti-phishing measures and educated its employees, the cyberattack leading to the data breach could have been avoided. Protecting a business is the top priority for any organization. And in the digital age, this protection spans the security of all data and each employee, client, and partner connected to the organization.
Phishing attacks are popular among threat actors as they are easy to conduct and have a high success rate because individuals rarely check or doubt legitimate-looking emails. This is exactly where anti-phishing strategies come into play to reduce an organization’s exposure to phishing attacks, protect its systems and employees, and avoid such significant fines, as observed in the case of Interserve.
Top 5 Anti-Phishing Measures You Need To Implement
For enterprise protection and growth, it is important to concentrate on:
- Educating Employees: Threat actors use social engineering tactics to trick individuals and employees into downloading malicious content or giving up login credentials. Educating employees about the urgency tactics, latest phishing attacks, and events will allow organizations to better protect against phishing, starting at the unit level.
- Reporting Phishing Activity: Threat actors often send phishing emails to multiple organizations and employees. It is paramount that employees report any phishing emails to flag such emails and protect other employees from interacting with them.
- Corporate Email Policy Training: Organizations follow email security policies defining the acceptable use of emails. These policies should describe acceptable and unacceptable usage of emails, responding, and reporting to IT, and employees should follow these guidelines.
- Password Security: Phishing emails are mostly targeted to steal login credentials, so the threat actor can access employee accounts or organizational networks. Employees and executives should be taught the best password security practices and implement MFA (Multi-Factor Authentication).
- Automated Solutions: There are many automated anti-phishing solutions for round-the-clock protection against phishing. Organizations should invest in an AI solution that guards the emails, platforms, and productivity applications that minimizes the risk of phishing.
Interserve failed to protect the sensitive information of its employees and paid the price twice – first, to the cybercriminals and then again to the law. Interserve’s fate is the prime example of why organizations need to strengthen cybersecurity policies and infrastructure to prevent phishing and other cyber threats.
The above anti-phishing guidelines form the first step of an organization’s phishing protection. With further research, implementation of sophisticated systems, and continued efforts, any organization can become cyber secure.