The cyber attack took place in May 2020, when criminals used a phishing email scam to gain access to employee information at the firm.
The hackers were able to access data which included employee contact details, national insurance numbers and bank account details, as well as special category data including ethnic origin, religion, details of any disabilities, sexual orientation and health information.
The attacker infiltrated 283 systems and 16 accounts, in addition to uninstalling the company’s anti-virus system.
Cyber security in the workplace:
What a new UK GDPR law might look like
Government invests in workplace cyber security
Employees risking data breaches due to IT problems
The ICO ruled that Interserve broke data protection law by failing to put appropriate measures in place to prevent unauthorised access of private data.
The firm also failed to follow up on an alert from its anti-virus software, which had flagged that malware had been installed onto an employee’s computer after the staff member opened and downloaded the content of a forwarded phishing email.
The investigation also found that Interserve used outdated software systems and protocols, had a lack of adequate staff training and sub-par risk assessments.
Anne-Marie Balfour, legal director at law firm Charles Russell Speechlys, said employers need to understand the importance of protecting employee data.
She told HR magazine: "The decision highlights the high standards expected of employers, and the extent and importance of the steps employers need to take to protect information about employees that is stored on their systems. Having the correct policies and privacy notices in place are the foundations, but training, risk assessing and monitoring, as well as up to date and thorough technical input are also essential.
"Employers and employees alike need to be mindful of their obligations under data protection laws. For example, in an entirely different context, the ICO has successfully prosecuted individual employees for misusing personal data obtained at work, resulting in fines and criminal convictions for these employees."
UK information commissioner John Edwards issued a warning to companies who don't take their cyber security protocols seriously.
He said: "Leaving the door open to cyber attackers is never acceptable, especially when dealing with people’s most sensitive information. This data breach had the potential to cause real harm to Interserve’s staff, as it left them vulnerable to the possibility of identity theft and financial fraud.
"If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office."
