Interserve Group Limited – €5,033,000 Fine (United Kingdom, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The UK data protection authority fined Interserve Group Limited over EUR 5 million after a cyber attack exposed personal data of 113,000 employees. The company failed to secure its systems and train staff properly, leading to the breach.
What happened
Interserve Group Limited suffered a cyber attack that exposed personal data of 113,000 employees due to inadequate security measures.
Who was affected
The breach affected 113,000 employees whose personal data, including bank and social security details, was compromised.
What the authority found
The authority found that Interserve's lack of proper security measures and employee training led to the data breach, violating GDPR's data protection requirements.
Why this matters
This case highlights the critical need for companies to maintain robust cybersecurity practices and regularly train employees on data protection. It serves as a warning that failing to do so can result in severe financial penalties and damage to reputation.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The British DPA has fined the construction group Interserve Group Limited EUR 5,033,000. The controller had notified the DPA of a data breach pursuant to Art. 33 GDPR. Interserve had suffered a cyber attack in which the attackers sent a phishing mail to the mailbox of Interserve's accounting team. The mail was opened by an employee who also downloaded and opened an attached zip file. This allowed the attackers to install malware and siphon off personal data from 113,000 employees. The siphoned data contained bank account information, social security numbers, ethnicity, sexual orientation and religion of the data subjects, among other things. The DPA's investigation found that inadequate security measures allowed the attack to occur. Interservere employees, for example, had not been adequately trained on data privacy. In addition, Interserve processed personal data on unsupported operating systems that were no longer subject to security updates to address vulnerabilities in the system. Also, Interserve had not conducted adequate vulnerability scans. Finally, Interserve's information security team had not sufficiently investigated the attack as antivirus software reported that the malware had been removed.
Related Enforcement Actions (0)
No other enforcement actions found for Interserve Group Limited in UK
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
19 October 2022
Authority
Information Commissioner's Office
Fine Amount
€5,033,000
Enforcement Tracker ID
ETid-1461
About this data
Cite as: Cookie Fines. Interserve Group Limited - United Kingdom (2022). Retrieved from cookiefines.eu
Last updated: