Huge Fine Highlights Importance of Effective Data Protection Training
The Information Commissioner’s Office fined a construction company £4.4 million, following a cyber-attack in which the personal data of up to 113,000 employees was affected.
Phishing Email Led to Huge Breach
One of Interserve's employees opened a phishing email, which meant hackers were able to install malware on their workstation. Through this, the hackers were able to access the personal information of up to 113,000 employees. The compromised data included contact details, National Insurance numbers, bank account details, and special category personal data including data on ethnic origin, religion, sexual orientation and disabilities.
Criticism for Response to Attack
Interserve was notified about the malware through its anti-virus software. However, it was criticised for having failed to thoroughly investigate what had happened. Specifically, whilst it took action to remove some of the files that had been installed on the employee's workstation, it failed to verify that all malware had been removed. This meant the attacker was able to retain access to the workstation between 1 April 2020, when the link was opened, to 2 May 2020. On 2 May 2020, as part of a routine maintenance check, Interserve discovered a message on its server stating it had been hacked. It notified the ICO of the breach on 5 May 2020.
Spotlight on Staff Training
At the time of the attack, one of the two employees who received the phishing email had not undertaken data protection training. This was a breach of Interserve's own policies. The ICO found that Interserve should have been aware of the risks of failing to implement effective information security training for all staff and found that the failure of put in place appropriate training amounted to a UK GDPR breach.
Learning Points
Organisations that handle or are responsible for personal data are required to implement technical and organisational measures to ensure the security of the data. In this case, effective staff training on data protection and information security would likely have been seen as a mitigating factor by the ICO.
We have developed eLearning on data protection and information security, designed to disseminate key information to staff to help you protect the security of personal data within your organisation and easily evidence that training when needed. The courses have been written by our data protection specialists and will be updated next year in line with the expected change to data protection law.
We will also be offering a tailored course for your Data Protection Lead to build on their understanding of the data protection essentials and to help them to carry out their role more effectively. Our all staff eLearning starts at £3 per Learner and our role specific courses are individually priced.
To book a demo, please contact Imogen Street in our VWV Plus team on 07384 545 998 or at istreet@vwv.co.uk.
For more information, please contact Andrew Gallie in our Data Protection team on 0117 314 5623 or complete the form below.