Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

UK Information Commissioner fines company £4.4 million for data breach

Privacy, Cyber Risk & Data Security Enforcement Of Interest to Non-US Persons UK GDPR Data Breach

Privacy, Cyber Risk & Data Security

On October 24, the UK Information Commissioner fined a construction company £4.4 million for a data breach that allegedly allowed hackers to access thousands of employees’ personal data. According to the monetary penalty notice, the company failed to process personal data in a manner that ensured the appropriate security of individuals’ personal data as required by Article 5(1)(f) and Article 32 of the EU’s General Data Protection Regulation. This includes protecting against unauthorized or unlawful processing, against accidental loss, destruction, or damage, and using appropriate technical and organizational measures, the regulator said. As a result of insufficient security measures, the company was exposed to a cyber-attack that affected the personal data of up to 113,000 company employees, including personal information such as phone numbers, email addresses, national insurance numbers, and bank account details, among others. An investigation found that the company allegedly failed to follow-up on a suspicious activity alert, used outdated software systems and protocols, and lacked adequate staff training and insufficient risk assessments. The regulator warned companies that “[t]he biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.” The regulator further stressed that failure to regularly monitor for suspicious activity, act on warnings, update software, or provide training may expose other companies to a similar fine.