What is an examples of a GDPR Violation Case?
The General Data Protection Regulation (GDPR) is a privacy and security law from the European Union (EU) that imposes obligations anywhere in the world where data from EU citizens is targeted and/or collected. The GDPR will levy harsh fines against those who violate their privacy and security standards, regardless of whether the violator is a member of the EU or not. The GDPR has implications for organizations of all sizes that conduct international business. The following GDPR violation case demonstrates how cybersecurity lapses can result in significant financial consequences1.
The UK-based construction and support services organization, Interserve, received the fourth largest fine ever fine for GDPR violations from the UK’s Information Commissioner’s Office (ICO)- £4.4 million.
Incident
In March 2020, an Interserve employee received a phishing email indicating that an attached file required urgent review. The Interserve employee forwarded the email with the attachment to a colleague who proceeded to download and extract the malicious ZIP file, which allowed cyberattackers to establish a presence on the colleague’s workstation. The colleague had been working remotely and had access to Interserve’s system via a “split tunnelling method”, allowing them to bypass security controls. Within days, Interserve’s server was compromised and the cyberattackers were able to move throughout the network. When Interserve’s endpoint protection tools eventually detected suspicious activity, they removed associated files and reported that, “…automatic removal of malware files had been successful.” Unfortunately, this was not the case, as the attacker retained access to the colleague’s workstation.
The failure to fully remove access to the workstation led to the compromise of 283 systems and 16 accounts (twelve of which were considered “privileged”) within four domains. Through their retained access, the cyberattackers proceeded to uninstall Interserve’s anti-virus solution and compromised servers and databases that included the personal data of 113,000 individuals. The compromised data included email addresses, national insurance numbers, bank account details, birth dates, educational information, and “special category data” including ethnicity, religion, disabilities, sexual orientation, and health information.” The cyberattacker proceeded to encrypt the personal data on those compromised systems, which Interserve reported to UK cybersecurity protection agencies within days of encryption.
Violations and Fines
The ICO determined that Interserve had violated two sections of GDPR:
- Interserve, “failed to process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures as required by Article 5( l)(f).”
- Interserve, “failed to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk as required by Article 32(1).”
The ICO took into account the volume and nature of personal data the was compromised, the number of individuals impacted, the length of time that individuals did not have access to or control of their personal data, and prior data breaches when determining the final penalty. The ICO rejected Interserve’s argument that “financial constraints” were an acceptable excuse for their cybersecurity failures and determined that the final penalty would be £4.4 million (over 5.2 million USD.)
1 TLP White, 2022, “Hacking Healthcare”