Interserve Data Breach finalized. The Information Commissioner’s Office (ICO) fined Interserve Group Ltd. £4.4 million for failing to protect the personal information of its employees. According to a watchdog, hackers were able to collect the personal data of 113,000 employees due to phishing emails. Can you claim compensation? Keep reading…

Data breaches and hacks are today’s biggest problems. Check out the latest data breaches and hacks before we continue: CHI Health data breach, Facebook data breach, Uber Security data breach, American Airlines data breach, Medibank cyber attack, and Binance hack.

Interserve Data Breach costs £4.4 million

Interserve Group was assessed a £4.4 million punishment by the Information Commissioner’s Office (ICO) for failing to protect the personal data of its 113,000 present and past employees. The fine pertains to a data breach that happened on May 2, 2020, which Interserve claims was avoidable, according to the ICO. When Interserve operated an outsourcing company and was listed as a “key supplier to the government with clients including the Ministry of Defense,” the data breach occurred.

Following are the stolen data in the Interserve Data Breach:

• Personal information like contact information,
• Social security numbers,
• Bank account information,
• Disabilities,
• Sexual orientation,
• Religion,
• Ethnicity,
• Health data.

The ICO investigation revealed that the business did not put “adequate technical and organizational safeguards” in place to stop a cyberattack.

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

Information Commissioner John Edwards

According to Interserve, they collaborated with ICO, but it didn’t save them from punishment.

“Interserve has worked extensively with the ICO and the NCSC since first reporting the cyber incident in May 2020. This cooperation and the work done to mitigate the possible impact on individuals are expressly recognised by the ICO in the ICO’s Monetary Penalty Notice (MPN).”

Interserve

Interserve received a “notice of intent” from the ICO, a legal document, before a possible fine. The preliminary fine was set at £4.4 million. Interserve’s arguments were thoroughly investigated. However, the final fine amount was not altered.

Do you know Texas sues Google? Texas Google Lawsuit explained

Interserve Data Breach summary

In May 2020, a phishing email was shared with another Interserve employee. The email was not quarantined or blocked by Interserve’s system. The employee downloaded its content and opened it, which led to malware on the employee’s workstation.

Despite the malware being quarantined and an alert being generated by the company’s anti-virus, Interserve did not fully analyze the ominous activities. Interserve would have discovered that the attacker still had access to the company’s systems had it done so, according to the ICO.

Following the penetration of 283 systems and 16 accounts, the attacker also removed the company’s antivirus program. Up to 113,000 current and former employees’ personal information was encrypted and made inaccessible.

The inquiry by the ICO revealed that Interserve ignored the initial report of suspicious behavior, used antiquated software systems and protocols, lacked enough staff training, and conducted insufficient risk assessments, leaving it open to a cyber attack.

Interserve violated data protection laws by failing to implement the necessary organizational and technical safeguards to guard against unauthorized access to individuals’ personal information.

Interserve received a notice of intent from the ICO, a legal document that comes before a possible fine. It set the preliminary fine at £4.4 million. Despite “careful consideration” of Interserve’s arguments, the ICO chose to impose the entire penalties.

Can you claim compensation?

According to European Commission, if a business or organization violated the legislation governing data protection and you had material damages (such as monetary loss), non-material damages, or both, you may be entitled to compensation (for example, distress or loss of reputation).

You have two options for filing a claim: with the firm or organization in question or with the national courts. The courts of the EU Member State where the controller or processor is located will hear your compensation claim. Alternatively, you could bring such a case before the courts of the EU Member State where you typically reside.

The Interserve Data Breach Settlement has not been announced yet. When it is public, this part will be updated.

What is Interserve?

The London and Tilbury Lighterage Company Limited, the company’s original name, was established in 1884. Following a merger with RM Douglas, it was known as Tilbury Douglas starting in 1991, but in 2001 it changed its name to Interserve plc. The name change partially reflected a shift in emphasis throughout the 1990s towards the maintenance and facilities management services sectors, which persisted in the 2000s, aided by additional acquisitions.

Interserve, a British construction and support services company with headquarters in Reading, Berkshire, entered administration in 2019 and is scheduled to close its doors in 2024. The company employed 34,721 people and had £2.2 billion in sales at that time.

Who owns Interserve now?

On 24 June 2021, the Ministry of Justice renationalized its Citizen Services division as part of the UK Government’s new probation delivery model. On 6 October 2021, RMD Kwikform was sold to France’s Altrad group for more than £140 million.

Outcomes of data breaches: Equifax & T-Mobile

The credit reporting firm Equifax acknowledged on September 7, 2017, that one of its computer networks had had a data leak that had exposed the personal information of 143 million clients, which eventually rose to 147 million. These records included information about the customers’ names, residences, dates of birth, Social Security numbers, and credit card numbers, all of which may be exploited for fraud and identity theft.

Equifax agreed to establish a fund to provide customers with free credit monitoring, identity theft protection, and cash compensation of up to $20,000 per to people harmed by the event, per the conditions of the deal. Additionally, the company must pay court fees and government fines.

Take a closer look at how data breaches effects companies: Equifax Data breach settlement

The cybersecurity vulnerability was first disclosed by T-Mobile and was made public on August 16, 2021. According to reports, almost 77 million consumers’ personally identifiable information was stolen due to the T-Mobile data breach. This contained database data such as addresses, dates of birth, social security numbers, driver’s license numbers, unique IMEIs and identification codes for client phones, and so on.

If granted, the $350 million T-Mobile deal will represent US history’s second-largest payment for a data breach.

Take a closer look at how data breaches effects companies: T-Mobile Data Breach Settlement

It has come to light that Google will change its privacy policy following a settlement with the UK data watchdog, the Information Commissioner’s Office.

Disucssing the incident, BBC news stated the ICO termed Google’s 2012 70-policy overhaul as “too vague when describing how it uses personal data gathered from its web services and products”.

Google has been treating with other European countries regarding its policies and will aim to find a similar solution. The European Article 29 Data Protection Working Party, which comprises of data regulators from around Europe, has been investigating Google for some time now.

Google has agreed to more transparency and ease-of-use. It will also provide “unambiguous and comprehensive information regarding data processing, including an exhaustive list of the types of data processed by Google and the purposes for which data is processed”.

Among other clarifications Google will  include information about who may collect “anonymous identifiers”, and the usage of collected data.The implementation of the revised policies is to take place by the 30th of June this year.

Speaking for ICO Steve Eckersley, the ICO’s head of enforcement, said: “Whilst our investigation concluded that this case hasn’t resulted in substantial damage and distress to consumers, it is still important for organisations to properly understand the impact of their actions and the requirement to comply with data protection law.”

Follow @DataconomyMedia

(Image credit: Today’s Google Doodle)

Office, the UK based online shoe store has received a warning from the Information Commissioner’s Office (ICO) where the imposing of a fine or stricter measures were imminent, in the aftermath of a data breach that compromised customer information.

Personal information such as contact details and website passwords of over a million customers were accessed by an outsider through an unencrypted Office database in May last year. However, it has been reported that no valuable financial data was compromised.

Office Holdings CEO Brian McCluskey spoke of the issue : “We take such a threat very seriously and have been in communication with our customers to advise them of the matter.”

“We can confirm that no credit card, debit card, PayPal or bank details were compromised in any way. In addition, we have reported the matter to the relevant authorities,” he further added.

“The breach has highlighted two hugely important areas of data protection – the unnecessary storage of older personal data and the lack of security to protect data,” notes ICO enforcement group manager Sally-Anne Poole.

She also pointed out the potential danger of having the same password on various online accounts. “This one incident could potentially have given the hacker access to numerous accounts that the clients held with other organisations, as passwords were included on the database in question,” she said.

Through ICO’s 9 month long investigation it has been revealed that there was no trace of the stolen information being passed on. However, Mr. McCluskey, has promised stringent measures like routine testing of the servers and systems, better data protection infrastructure and training for employees to avoid future mishaps.

Follow @DataconomyMedia

(Image credit: Pixabay)