ICO fines Interserve Group Ltd

The ICO recently fined construction company Interserve Group Ltd £4.4m in response to their failure to sufficiently protect the personal information of their staff, breaching data protection law. 

So, what happened? 

A seemingly innocuous chain of events with disastrous consequences: an employee forwarded a phishing email to another employee, who then opened and downloaded its contents – installing malware in the process. One email which evaded Interserves’ security system was able to compromise 283 systems and 16 accounts, with around 133,000 members of staff affected. 

The data accessed by hackers included some special category data, increasing the severity of the data breach. The information collected included;  

  • Contact details 
  • National Insurance numbers 
  • Bank account details
  • Ethnic origin 
  • Religion 
  • Disabilities 
  • Sexual orientation 
  • Medical information 

Interserves’ culpability 

The ICO concluded that Interserve had not only failed to recognise and respond to warning signs of suspicious activity but had neglected to implement a successful data protection culture in the workplace. Their security systems were outdated and their staff were not sufficiently trained to recognise potential data breaches. 

The Interserve incident serves as a reminder to all of us that complacency remains the greatest asset in a hacker’s arsenal. As ICO Commissioner John Edwards warned; 

“If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

We couldn’t have said it any better ourselves! 

DPAS is here to help your organisation comply with data protection laws. Staff training and awareness for both Information Security, Cyber Security and Data Protection should be on the agenda at all times. It doesn’t always need to be a day-long course, there are so many options available. 

From conducting an audit to identify areas of weakness to providing staff training, you can get in touch with us at info@dataprivacyadvisory.com or give us a call on 0203 301 3384 and we can walk you through the best options for your business.

related posts

Noah de Wild

How to Assess a Data Breach: A Practical Guide

This blog explains how to assess a data breach by identifying its cause, determining what information was exposed, and evaluating the potential impact on affected individuals and the organisation. It outlines common causes of breaches, the importance of understanding the type and scale of compromised data, and how assessing the timeline of an incident can help businesses respond effectively, meet legal obligations, and reduce long-term risks.

Read More »
Noah de Wild

Don’t Panic: A Pragmatic Guide to the June 2026 Enforcement of the Data (Use and Access) Act Changes

With the June 19, 2026 enforcement of the Data (Use and Access) Act approaching, ensuring your business is compliant doesn’t have to be complicated or expensive. In our latest guide, we break down exactly what the new data protection complaint rules mean for you. Cut through the noise and discover our simple, free six-step checklist to update your protocols, designate handlers, and keep your business confidently compliant.

Read More »

Get a Free Consultation