UK Fines Outsourcer For Failing To Stop Cyberattack

Bruce66423 writes: Britain's data watchdog has fined the construction group Interserve $4.9m after a cyber-attack that enabled hackers to steal the personal and financial information of up to 113,000 employees. The attack occurred when Interserve ran an outsourcing business and was designated a "strategic supplier to the government with clients including the Ministry of Defence." Bank account details, national insurance numbers, ethnic origin, sexual orientation and religion were among the personal information compromised. The Information Commissioner's Office (ICO) said Interserve Group broke data protection law because the company failed to put appropriate measures in place to prevent the cyber-attack, which happened two years ago. Interserve's system failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated. The attack led to 283 systems and 16 accounts being compromised, uninstalled Interserve's anti-virus system and encrypted all current and former employees' information. The ICO said Interserve used outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments. "This data breach had the potential to cause real harm to Interserve's staff, as it left them vulnerable to the possibility of identity theft and financial fraud," said John Edwards, the UK information commissioner. "Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people's most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company."

Read more of this story at Slashdot.