"British Company Interserve Fined £4.4 Million Over Ransomware Attack"

The UK's data protection regulator fined a British construction company around $5 million after a ransomware group accessed sensitive data on 113,000 employees. According to the Information Commissioner's Office (ICO), Interserve Group failed to implement adequate security measures to prevent the cyberattack, which began with a phishing email. It is the second fine issued by the regulator this year for an organization failing to meet its data protection obligations in the aftermath of a ransomware attack. A law firm was fined £98,000 after hackers gained access to 24,000 court bundles containing medical files and witness statements. According to the ICO, attackers were able to compromise employees' contact details, national insurance numbers, and bank account details, as well as special category data such as ethnic origin, religion, details of any disabilities, sexual orientation, and health information, in the case of Interserve, which went into administration in 2019 and is unlikely to pay the fine. The breach happened when an employee forwarded the phishing email, which had not been blocked or quarantined by Interserve's systems, to another employee, who opened it and downloaded its malware-infected content. Interserve failed to thoroughly investigate the suspicious activity despite having an anti-virus solution that quarantined the malware and sent an alert. If they had, Interserve would have discovered that the attacker still had access to the company's systems, according to the ICO. The hackers then compromised 283 Interserve systems and 16 accounts, and uninstalled the anti-virus software, before encrypting the personal information of up to 113,000 current and former employees. According to John Edwards, the Information Commissioner, the greatest cyber risk that businesses face is not from hackers outside of their organization but from complacency within their organization. If a company fails to regularly monitor its systems for suspicious activity and fails to act on warnings, or does not update software and provide staff training, it can expect a similar fine from the office. This article continues to discuss the ransomware attack faced by Interserve that resulted in a $5 million fine.  

The Record reports "British Company Interserve Fined £4.4 Million Over Ransomware Attack"