Interserve Group

What happened

The ICO fined Interserve Group, one of the UK's largest outsourcing companies, £4.4 million for failing to keep personal data of its staff secure, leading to a cyber attack that compromised the records of up to 113,000 employees. The attack began when an employee forwarded a phishing email to a colleague who opened it and downloaded the malicious content. The malware compromised 283 systems and 16 accounts, and the attackers encrypted the personal data of current and former employees. The ICO found that Interserve used outdated software, had inadequate endpoint protection, lacked sufficient staff training, and did not conduct regular security testing. These failures meant the company did not meet the standard required by UK GDPR.

Articles violated

Lessons learned

Employers handling large volumes of employee data must invest in cybersecurity proportionate to the risk. Basic security hygiene — patching systems, endpoint protection, security awareness training, and regular testing — is not optional. Phishing remains the most common attack vector, and employee training is a critical defense layer. Outsourcing companies with large workforces must recognize that employee data is a high-value target. The cost of proper security is far less than the combined financial, operational, and reputational cost of a breach.