“Complacency” leads to fourth-largest ICO fine – and a stark warning for other firms
Firm was running Microsoft Server 2003 R2 on 18 servers; domain admin group had 280 users.
In brief: Interserve fine of £4.4m from ICO follows data breach. Construction company was running Microsoft Server 2003 R2 on 18 servers. Domain admin group had 280 users.
The Information Commissioner’s Office (ICO) has warned business that their biggest cyber risk is “complacency, not hackers”, as it fines construction firm Interserve £4.4 million.
Details of Interserve’s case should sound very loud alarms for significant numbers of firms, with the ICO highlighting the firm’s use of end-of-life server Operating Systems when Interserve got hacked, outdated anti-virus protection, inadequate vulnerability scanning and more. The cumulative effect of all of these – rather than the hack itself – was the reason behind Interserve’s fine.
“If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office,” said UK Information Commissioner John Edwards, in a press release.
“Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud,” he added.
April Fools
Almost 300 of Interserve’s systems got popped in 2020 when a user forwarded a phishing email onto another employee at the end of March, who opened it and unleashed the payload on 1 April: ransomware which exposed and encrypted sensitive data. According to the ICO the breach affected 113,000 current and former employees.
But the fine – the fourth-largest ever issued by the ICO – is actually for Interserve’s “contraventions” from 18 March 2019 to 1 December 2020, (the “relevant period”) which rendered it vulnerable to the ransomware attack.
“In the Relevant Period Interserve failed to process personal data in a manner that ensured appropriate security of the personal data,” said the ICO’s monetary penalty notice.
While Interserve’s systems identified the malware, and the company took action to remove “some of the files”, the firm did not verify all the malware had been dealt with. In fact the attacker still had control of the employee’s workstation – and on 3 April used that control to gain access to a server, and then to other systems.
May Day
At the start of May 2020 the attacker uninstalled Interserve’s anti-virus software, and breached 283 systems and 16 accounts, breaching data relating to tens of thousands of employees. After this the firm took the incident seriously – but by then it was too late.
The ICO listed a litany of failures on Interserve’s part, particularly its use of Microsoft Server 2003 R2 on 18 servers and Server 2008 R2 on 22 servers hosting employee data. Both OSs were end-of-life at the time of the incident, in contravention not only of UK official guidance, but Interserve’s own policies and standards as well.
Privileged account management also came under scrutiny by the ICO: Interserve’s domain administrator group had more than 280 users at the time of the incident, with the attacker compromising 12 of these.
“These users were given wide permissions within the organisation's domain by their line manager who approved the permissions, including in some instances the ability to uninstall antivirus software,” said the MPN.
Greater than the sum of its parts
But the ICO’s judgment came not as a result of a single failure – but all of them.
“The Commissioner accepts that each of the above contraventions, if considered in isolation, are not necessarily causative of the Incident nor a serious contravention… justifying the imposition of a financial penalty, however the cumulative failures materially increased the risk of an attack occurring, and the seriousness of the consequences of an attack, and taken together do constitute a serious contravention,” said the ICO’s report.
The commissioner’s warning to companies come on top of mounting evidence cyber criminals just don’t have to try that hard these days. Ironically the criminals who breached Interserve with a phishing attack went further than many these days – CrowdStrike reported last month the use of malware is falling, as valid credentials are so easily available online.
Two of the most devastating recent attacks – against Uber and NHS MSP Advanced – both started through the use of legitimate credentials (although in the case of Advanced, it has not yet been disclosed how these credentials were obtained).
Interserve fine: Yeah but no but...
In a statement, Interserve pushed back against the ICO’s characterisation of the firm: “Interserve strongly disputes that its staff and the company’s response were in any way complacent. The statements in the ICO’s press release issued on Monday 24 October 2022 are inconsistent with the ICO’s MPN, which does not reference in any way that Interserve was complacent in its actions.
“In fact, as the ICO recognises in its MPN, Interserve took extensive steps to resolve the incident, engaging leading cyber response companies, and made significant investments across its operating companies to mitigate the potential impacts of the cyber incident on its past and present staff,” it added.
Having read the MPN, this reporter is unclear how Interserve can claim the ICO’s report shows it wasn’t complacent. And while the MPN does note Interserve’s actions after the event, there is a relevant proverb about horses and stable doors which the firm’s management could usefully bear in mind.