Back to Cases
cybersecurityProfessional Services · 2022
Interserve Group Limited
Interserve Group, a major UK government contractor, was fined for a 2020 phishing attack that compromised personal and special category data of up to 113,000 current and former employees, including health, financial, and immigration status information. The ICO found Interserve had failed to implement adequate anti-phishing controls, failed to follow its own security processes for flagging suspicious emails, had outdated and unpatched software across its systems, and provided insufficient staff security training. The company was also required to implement a formal remediation programme.
Fine Imposed€5.1M
Authority
ICO-UK
Regulation
UK General Data Protection Regulation + Data Protection Act 2018
Max fineHigher tier: £17.5M or 4% of global annual turnover; standard tier: £8.75M or 2%
Statusactive
Key Takeaways
- Government contractors handling large volumes of employee special category data face the same UK GDPR security obligations as private sector organisations — unpatched systems, absent MFA, and inadequate phishing training are each independently enforceable failures.