The Truth About The Interserve Cyber Breach

So, the headline fine of ￡4.4m by the UK Information Commissioner's Office ( Information Commissioner's Office ) for a phishing attack against Interserve, leading to loss of #data for 113,000 staff grabs the headlines. However, what are the real failings that led to this fine?

Many organisations suffer from #phishing attacks, and some lead to #dataloss – but they don't get fined. So, what went wrong at Interserve?

The fine is under the #ukgdpr (just a post-Brexit re-badge of the EU equivalent), and relates to an attack between 30 March and 2 May 2020. Here is the first clue – why does a phishing attack last more than a month?

The ICO states that Interserve failed to ensure 'appropriate security' of the employee personal data.

The breach started with a phishing attack against a finance team mailbox that required 'urgent review'. This led to an employee downloading a file that contained some #malware, allowing the hacker to access this user's computer. However, the employee was home-based and the Interserve configuration allowed connections directly to the hacker, bypassing any organisational controls (known as split-tunnelling – first failing!)

The next control worked – the #antivirus (AV) blocked some files and alerted the organisation. However, the hacker remained connected to the computer and the organisation didn't respond to the AV alerts (second failing!).

The hacker then 'let rip' (technical term), accessing four domains, 12 admin accounts and 283 servers! Along the way, they compromised four HR systems – hence the employee data compromise.

The first warning that Interserve had was was on the 2 May, with a message from the hacker – so, no effective detection was in place to spot what had been a massive compromise! That is over a month of hacking activity that was not detected.

Interserve didn't report this to the ICO until 5 May. Not sure where their determination of 72-hours report was in this process?

Other vulnerabilities and failings that helped the attacker included:

1. Using unsupported operating systems, with known #vulnerabilities that couldn't be patched. The ICO quoted their 'Security Outcomes' here – their key #GDPR related minimum security levels.
2. The use above, was in contravention of Interserve's own documented policies and standards. However, there was no risk assessment to justify these failings.
3. The majority of servers didn't have the latest AV protection, even though their vendor offered this as a free upgrade with the end-point protection they have purchased.
4. Interserve could not provide any evidence of #penetrationtesting in the last two years!
5. The original users that responded to the phishing email had not been trained.
6. The widespread use of domain admin privileges was against their own policy and procedures.

As is the current ICO policy, the most embarrassing elements of their investigation are redacted from the ICO report. However, the above certainly plenty to give other organisations food for thought as to their own weaknesses.

So, a typical #ransomwareattack, starting with home users, and stealing HR data as a 'back up' for the attackers. All 'simple' activities by the hackers, exploiting organisational mistakes and poor cyber security.