ICO sends message over “complacency” after data breach at construction firm

UK information commissioner imposes fourth-largest fine after breach affecting up to 113,000 people.

The UK Information Commissioner’s Office (ICO) has imposed one of its largest ever fines after “complacency” led to a major data breach affecting up to 113,000 current and former employees and 283 systems at a construction outsourcer with links to the Ministry if Defence.

Construction group Interserve has been fined £4.4m ($4.99m) as result of a hacking attack two years ago. The source of the breach was a phishing email, forwarded by one employee to another.


When the contents were downloaded, malware was installed. This triggered an anti-virus quarantine, but Interserve failed to investigate thoroughly, and so did not realise the attacker still had access to company systems. The malware eventually led to Interserve’s anti-virus system being uninstalled.

Data compromised included contact details and National Insurance and bank details, as well as special category data relating to health, ethnic origin, disability and sexual orientation.

Information Commissioner John Edwards said: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

Fourth-largest fine

The fine is the fourth largest the ICO has imposed, falling just short of the maximum £17.4m ($19.71m) allowed. Edwards said: “The intention is to cause directors and chairmen to sit up and start asking questions of chief executives about cyber preparedness.”

Interserve’s construction and engineering business was rebranded as Tilbury Douglas in March 2021. A statement from Interserve said it had “worked extensively” with the ICO and National Cyber Security centre since first reporting the incident, and “strongly disputes that its staff and the company’s response were in any way complacent”.