Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

UK Fines Outsourcer For Failing To Stop Cyberattack (theguardian.com) 29

Bruce66423 writes: Britain's data watchdog has fined the construction group Interserve $4.9m after a cyber-attack that enabled hackers to steal the personal and financial information of up to 113,000 employees. The attack occurred when Interserve ran an outsourcing business and was designated a "strategic supplier to the government with clients including the Ministry of Defence." Bank account details, national insurance numbers, ethnic origin, sexual orientation and religion were among the personal information compromised. The Information Commissioner's Office (ICO) said Interserve Group broke data protection law because the company failed to put appropriate measures in place to prevent the cyber-attack, which happened two years ago. Interserve's system failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated.

The attack led to 283 systems and 16 accounts being compromised, uninstalled Interserve's anti-virus system and encrypted all current and former employees' information. The ICO said Interserve used outdated software systems and protocols, had a lack of adequate staff training and insufficient risk assessments. "This data breach had the potential to cause real harm to Interserve's staff, as it left them vulnerable to the possibility of identity theft and financial fraud," said John Edwards, the UK information commissioner. "Leaving the door open to cyber-attackers is never acceptable, especially when dealing with people's most sensitive information. The biggest cyber-risk businesses face is not from hackers outside of their company but from complacency within their company."

This discussion has been archived. No new comments can be posted.

UK Fines Outsourcer For Failing To Stop Cyberattack

Comments Filter:
  • If another private sector company had the same experience with that supplier they would probably be in court over it. But government is the one group that can penalize a company directly. Given this position, should it not also then be the task of the government to require proof of adherence through oversight in advance (and during) project execution?

    Imagine if companies could simply declare each other to be "fined".

    • by mccalli ( 323026 ) on Monday October 24, 2022 @10:48AM (#62993611) Homepage
      I don't think you know what's happened. Of course they require proof of adherence - how do you think it was detected? The ICO, Information Commissioner's Office, is also capable of declaring any company fined using powers granted it to by law, they have done so in the past and will do so in the future.

      The question will be enforcement and appeal, as per any other ICO case. There's nothing special here - the government didn't unilaterally decide to go "hah ha! Boo! FINE!"...an agency tasked with protecting information followed the law, determined a breach and then issued a fine using the powers granted to it by that same law. Courts will be involved should the recipient of the fine appeal, or refuse to pay. In other words - this is standard procedure.
    • In effect the ICO isn't part of the government in this transaction, it's an independent regulator. Therefore it is legitimate to take a swipe at the organisation as long as it can justify its actions before a court.

      Where you may be right is that this perhaps means is that companies working for the government will be a little more careful about cutting corners; this would be good. Even better if it encourages companies to be careful about everybody they work with!

    • by Entrope ( 68843 )

      PayPal claims it can do exactly what you say: https://reason.com/volokh/2022... [reason.com]

      Other finance companies have similar mechanisms, including chargebacks for credit cards.

  • by Errol backfiring ( 1280012 ) on Monday October 24, 2022 @09:54AM (#62993441) Journal
    If the government outsources national IT security to the lowest bidder, this is what you get. It is a crime that the government outsourced such important things at all.
    • by Tablizer ( 95088 )

      If you think it's hard to sue somebody in your own country, trying remotely suing somebody in Timbuktu. Outsourcees know this.

  • by jenningsthecat ( 1525947 ) on Monday October 24, 2022 @09:56AM (#62993449)

    ... ethnic origin, sexual orientation and religion were among the personal information compromised.

    Why in hell had that information been collected in the first place? What business is it of anybody other than the individual employee and whomever he or she should decide to share it with? Why would an employer even ask those questions?

    • Re:WTF? (Score:5, Informative)

      by mattaw2001 ( 9712110 ) on Monday October 24, 2022 @10:08AM (#62993487)
      Having had several security clearances in the UK, and one check in the USA, they will typically want to know details which are typically considered private. Considering the national security (safety?) implications of the data/work being done they will collect information on your private life looking for blackmail opportunities and risk, for example "closet" homosexuality or financial debt. They also straight up ask if you are a terrorist/criminal, or have been a terrorist, or know any terrorists, etc.. They record the answers to those so if you are found to have lied later they can instantly fire you for failing to answer truthfully, and level additional charges as needed.

      I don't know if it is true or not but I have been told by the RMP of a young person just out of college who checked yes to all the "terrorist" boxes in a fit of humor. The RMP were fairly sure they were not a terrorist, however they took the opportunity to engage in a full scale armed raid of the home this person was staying in. That being their parents house and they were all turfed out of bed at 1am by armed soldiers who broke into the house and questioned. The RMP figured it was good training at the least, and it might have been true.

      So be warned, governments have no sense of humor with these things - after all can you imagine the problem if they ignored a declared threat which was actually real?

      • by Entrope ( 68843 )

        For an example that more people can relate to, think of the signs about joking at an airport security line. Sure, if someone laughingly says "yes, I have a bomb in my bag", a listener can probably guess whether they're just joking or whether they really might -- but the people who are responsible for performing the security checks need a higher level of certainty than "can probably guess", so they're going to take that statement very seriously and make sure it's false before letting the person go through.

      • If you're a "closet" homosexual, do they seriously expect them to answer "yes" in their questionnaire?

        Then again, the immigration form for the US has a "are you a member of a terrorist organization" as a question...

        • by _merlin ( 160982 )

          Last time I went to the US (close to 20 years ago now) they had questions like, "Are you entering the US with the intention of committing a crime?" and one asking if you're a foreign espionage agent. You'd have to be really stupid to answer yes to any of them. I think all it really does is allow them to bring charges of signing a false declaration if they catch you for any of the things they asked about.

          • I heard, and I have no idea whether that's true but it would at least make sense, that they can't just deport you for committing a crime, but they can if you lie on your immigration form.

            I can frankly only assume it has to be some sort of legalese technicality bullshit.

    • Why would an employer even ask those questions?

      Equality and diversity statistics.

    • by hoofie ( 201045 )

      UK law has anti-discrimination requirements where you need to be able to identify and report on this information for your employees for statistical and compliance purposes.

      It's pretty well a guaranteed requirement for any Govt etc contracts.

  • Just sad that this is still a thing. But then you choose the same flawed platform you get the same results.
    • But then you choose the same flawed platform you get the same results.

      Phishing emails don't give a fuck what platform you use. The comment you just made is the reason IT is still a security nightmare, a demonstration that even geeks who read news for nerds clearly don't have a clue about IT security.

  • by Murdoch5 ( 1563847 ) on Monday October 24, 2022 @01:04PM (#62994145) Homepage

    Interserve's system failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated.

    Okay ... how many bleeping times do we have to go over email policy? ENCRYPT, SIGN AND DIGITALLY VERIFY ALL EMAILS! Email is insecure to a comical level, the kind of comedy that is funny, stupid, terrifying and head shaking, and the vast majority of people in tech know that. If you know something is major flashing problem, and you have the ability, technology, and protocols to fix it, then why aren't you?

    The real question that governments need to start asking is why wasn't the email system demanding encryption, signing and validation? If you just demand encryption, signing and validation you can stop 99.999% of attacks before they start, and yes I pulled that number out of my butt, but It's probably in the ball park of accurate.

    • Okay ... how many bleeping times do we have to go over email policy? ENCRYPT, SIGN AND DIGITALLY VERIFY ALL EMAILS!

      You've solved maybe 5% of possible email related phishing attacks. What else do you got?

  • There really is no way but punishment for bad IT security. The market completely fails on this question.

  • just phishing email. All those requirements like encyption-in-transit/rest, rotating passwords, anti-virus on servers... all mean jack. just email...

C makes it easy for you to shoot yourself in the foot. C++ makes that harder, but when you do, it blows away your whole leg. -- Bjarne Stroustrup

Working...