A recent £4.4m fine imposed by the ICO in October 2022 reveals its views on the responsibility of the parent company, senior management, and financial investments in organisations’ security standards to prevent cyber attacks.

What happened?

A UK-based construction company suffered a cyber-attack as a result of which the personal data of 113,000 employees was compromised, including their sensitive personal data. A phishing email was opened by an employee and although the malware that was installed by the phishing email was deleted, it gave access to data on the organization’s systems which the attacker then encrypted and made unavailable.

What were the failures?

In its assessment of the breach, the ICO listed the following failures of the organization to apply appropriate technical and organizational security measures:

  1. Use of outdated operating systems which were no longer subject to security updates to fix known vulnerabilities. This was contrary to NIST 800-53 standard, the NCSC Guidance on “Security Outcomes” and the NCSC Guidance on “Mitigating Malware and Ransomware attacks”;
  2. Failure to take steps after the malware was deleted to find the source of the incident and security weaknesses contrary to industry best practices standards ISO27001 and ISO27002;
  3. Failure to audit the implementation of its  internal IT policies contrary to industry standard ISO27001;
  4. Failure to run the latest anti-virus protection;
  5. Giving too many people in the administrator group wide privileges, including the right to uninstall anti-virus software;
  6. Failure to carry out annual vulnerability scans and penetration testing; and
  7. Failure to train employees in data protection.

Cumulatively the above failures resulted in a serious breach of the UK General Data Protection Regulation (UK GDPR).

The role of senior management

The senior management of the organisation was aware of the issues with the IT systems but failed to regularly review the suitability, adequacy, and effectiveness of the security measures in place.

One of the explanations for the failure to apply the relevant protections was the financial constraints the organization was experiencing before the incident. However, the ICO made it clear that some of the failures could have been avoided at no or low cost. In the ICO’s views, significant costs that the organization eventually had to make post-incident were justified and proportionate to the scale and nature of the personal data the organization was processing. Also, the ICO reminded that the industry standards, such as ISO270001, requires leadership to allocate resources to achieve security standards. The ICO made a point that the significant investments the organization made post-incident should have been taken earlier.

What can organisations learn from this?

The ICO stated that in this scenario, “Measures such as processing personal data on supported operating systems, removing legacy protocols, using endpoint protection, data protection training and appropriate incident response could have very significantly reduced the likelihood of personal data being compromised. The failure to implement such measures exposed that personal data to serious risks.”

The ICO made clear in its previous fines what standards of security measures it expects organisations to follow. These are set by national agencies that provide advice on cyber security, such as the UK’s National Cyber Security Centre (NCSC) and the US’ National Institute of Standards and Technology (NIST). The ICO stated that it expects higher standards of security from a large organization, especially given the size of its workforce and the volume and nature of personal data it processes. The ICO expects to see the evidence of appropriate management oversight and review of security systems.

Another significant point to mention is that the ICO applied the penalty to the parent company of the organization as the controller primarily responsible for the data security deficiencies rather than the companies that suffered the breach. This is because, in the ICO’s view, the parent company was responsible for (a) the company-wide information security and data protection policies; (b) the security of the IT infrastructure where the personal data of its subsidiaries was stored; and (c) employed the senior management of the organization. Although the organization that received a fine is based in the UK, the ICO’s analysis regarding the role of a parent company as the primary controller when it comes to data protection and cyber security is one to keep in mind for multinational organisations subject to the UK GDPR.