A very expensive email!

Towards the end of last year, Interserve has found out how costly it can be to open up an email - £4.4 million to be precise!

What's happened?

So the situation had all of the hallmarks of what one might show in a data protection training session of what not to do! An Interserve employee forwarded to another colleague a phishing email (a ‘phishing email’ is one which a criminal would use to ‘trick’ an individual to disclose information or download a virus/ransomware software, by usually pretending to be from a legitimate third party). Here, the Interserve employee’s colleague opened the email and downloaded its content – which unfortunately for Interserve, was malware.

However, there was a temporary moment of relief, as Interserve’s anti-malware systems quarantined the virus and sent an alert. Unfortunately, the ‘relief’ was only ‘fleeting’, as Interserve failed to realise that despite the alert and the quarantining of the virus, the cyber attacker still had access to Interserve’s systems.

What then followed was the cyber attacker managing to uninstall Interserve’s anti-virus measures, and compromising 283 systems, 16 accounts, and encrypting (so that they could no longer be accessed) 113,000 current and former staff’s personal data. The compromised data included: contact details, national insurance numbers, bank account details, special category data (including ethnic origin, religion, details of disabilities, sexual orientation, and health information).   


As a result of the cyber attack, the UK’s data protection regulator, the ICO, fined Interserve £4.4 million pursuant to the Data Protection Act 2018 for breaches of the UK GDPR. Unlike what has happened in some previous cases, where the ICO has provided a notice of intent to fine, and then reduced the proposed fine amount, that has not occurred here - as the £4.4 million reflects the same amount as the ICO referred to in its notice of intent to fine. The ICO felt that in the current case, the representations made by Interserve did not warrant a reduction in the fine. 

The rationale for the fine was that Interserve:

  • did not appropriately follow-up on the original alerts generated by the anti-virus software systems which it was using, and therefore, failed to act to prevent the subsequent adverse consequences
  • used outdated software systems and protocols within its business
  • lacked adequate staff training and appropriate risk assessments

This gave rise to Interserve failing to comply with the requirements of the UK GDPR, in particular, to put in place appropriate technical and organisational measures to safeguard the personal data of its staff.

Key points for organisations

The key points for organisations can be very aptly summarised by the stark warning provided by the UK Information Commissioner, who stated that:

“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company. If your business doesn't regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn't update software and fails to provide training to staff, you can expect a similar fine from my office.”

Consequently, organisations need to ensure that they deal with ‘cyber preparation’, rather than just dealing with cyber in a reactive manner. In order to do so, the UK and EU GDPR require appropriate technical and organisational measures to be put in place, which include: 

  • regularly monitoring for suspicious activity
  • properly investigating any initial warnings, whether provided by internal systems or otherwise
  • updating software (with appropriate software patch management) and removing outdated or unused platforms which could compromise the security and safeguards in respect of personal data
  • keeping policies up to date
  • keeping data management systems secure
  • providing regular staff training
  • implementing secure passwords and multi-factor authentication for access to systems

The Interserve fine is a timely reminder that GDPR compliance, as well as cyber preparation, are vital not only for organisations which are dealing with consumer data, but also for those dealing with any personal data, including those of its own staff (particularly those with large numbers of staff, or global operations). All too often, businesses and organisations may mistakenly consider that UK or EU GDPR is not an issue for them, as they feel that they are in a ‘Business-to-Business’ rather than ‘Business-to-Consumer’ environment. However, considering that the Interserve fine was focusing on the adverse consequences to its staff’s personal data, it is important that organisations avoid similar costly mistakes. 

How we can help 

Let our specialist cyber response team help you proactively before a cyber breach occurs, by drawing upon our UK GDPR and technology law specialist knowledge, including our expertise from helping some of the largest global organisations. As part of this service, we will help mitigate against legal risk exposure associated with cyber breaches.

If a cyber breach occurs, our cyber response team can also help assess and assist with any UK GDPR regulatory notifications to the ICO and to affected individuals. We can also help with taking legal action and defending against claims.

We can also put you in touch with specialist technical and forensic teams to mitigate against technical cyber risks.

Our cyber response service is headed by our UK market leading technology lawyer, Jagvinder Singh Kang (CIPP/E, CIPM, CIPT, FIP) who is also a qualified software engineer. Jagvinder and our national team of specialist cyber lawyers have extensive experience in helping the full range of organisations on cyber matters.

Consequently, Mills & Reeve’s National IT, Data Protection and Cyber Law Team can assist your organisation with all of these and other legal requirements.

Please feel free to get in touch to arrange an initial consultation call.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.