Incident: Cyber-Attack on Interserve's Outdated Systems Leads to Data Breach

Published Date: 2022-10-23

Postmortem Analysis
Timeline 1. The software failure incident at Interserve, where a cyber-attack compromised the personal and financial information of employees, happened two years ago as mentioned in Article 133673. 2. Published on 2022-10-23. Therefore, the software failure incident at Interserve occurred around October 2020.
System 1. Interserve's system failed to stop a phishing email that an employee downloaded. 2. Interserve's subsequent anti-virus alert was not properly investigated. 3. Interserve used outdated software systems and protocols. 4. Interserve had a lack of adequate staff training. 5. Interserve had insufficient risk assessments. [133673]
Responsible Organization 1. Interserve Group - The software failure incident was caused by the actions of Interserve Group, as they failed to put appropriate measures in place to prevent the cyber-attack, used outdated software systems and protocols, lacked adequate staff training, and had insufficient risk assessments [133673].
Impacted Organization 1. Ministry of Defence [133673]
Software Causes 1. The software failure incident at Interserve was caused by the company's system failing to stop a phishing email that an employee downloaded, leading to the cyber-attack [133673]. 2. Additionally, the incident was exacerbated by the failure to properly investigate a subsequent anti-virus alert, which allowed the attack to compromise systems and accounts [133673]. 3. Interserve's use of outdated software systems and protocols, lack of adequate staff training, and insufficient risk assessments were also identified as software causes of the failure incident [133673].
Non-software Causes 1. Lack of appropriate measures to prevent the cyber-attack, such as outdated software systems and protocols, inadequate staff training, and insufficient risk assessments [133673].
Impacts 1. Personal and financial information of up to 113,000 employees was stolen, including bank account details, national insurance numbers, ethnic origin, sexual orientation, and religion [133673]. 2. 283 systems and 16 accounts were compromised, and Interserve's anti-virus system was uninstalled [133673]. 3. All current and former employees' information was encrypted, leaving them vulnerable to identity theft and financial fraud [133673]. 4. The ICO fined Interserve £4.4m, which was the fourth largest fine imposed by the ICO [133673].
Preventions 1. Implementing robust cybersecurity measures such as up-to-date software systems and protocols, adequate staff training, and regular risk assessments could have prevented the cyber-attack on Interserve [133673]. 2. Enhancing employee awareness and training on cybersecurity best practices, especially regarding identifying and handling phishing emails, could have helped prevent the incident [133673]. 3. Promptly investigating and addressing security alerts, such as the anti-virus alert that was not properly investigated in this case, could have potentially prevented the attack [133673]. 4. Regularly updating and maintaining security systems, including anti-virus software, to ensure they are effective in detecting and preventing cyber threats could have mitigated the risk of a successful attack [133673].
Fixes 1. Implementing up-to-date software systems and protocols to prevent vulnerabilities [133673]. 2. Providing adequate staff training on cybersecurity measures to enhance awareness and response to potential threats [133673]. 3. Conducting thorough risk assessments to identify and address potential weaknesses in the system [133673].
References 1. Information Commissioner’s Office (ICO) [Article 133673] 2. John Edwards, the UK information commissioner [Article 133673]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) The software failure incident related to a cyber-attack on Interserve occurred within the same organization. The incident involved a cyber-attack that enabled hackers to steal personal and financial information of up to 113,000 employees. The attack happened two years ago due to a phishing email that an employee downloaded, leading to compromised systems and accounts [133673]. (b) There is no specific information in the provided article about the software failure incident happening at multiple organizations.
Phase (Design/Operation) design, operation (a) The software failure incident in the article was primarily due to contributing factors introduced during the design and development phases. The incident occurred because Interserve failed to put appropriate measures in place to prevent the cyber-attack, which happened two years ago. The attack was initiated when an employee downloaded a phishing email, and the subsequent anti-virus alert was not properly investigated. Additionally, Interserve was using outdated software systems and protocols, lacked adequate staff training, and had insufficient risk assessments [133673].
Boundary (Internal/External) within_system (a) within_system: - The software failure incident at Interserve was primarily due to factors originating from within the system. The incident occurred when an employee downloaded a phishing email that the system failed to stop, and an anti-virus alert was not properly investigated [133673]. - Interserve's system failure to prevent the cyber-attack, the lack of appropriate measures in place, use of outdated software systems and protocols, inadequate staff training, and insufficient risk assessments were all internal factors contributing to the software failure incident [133673].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the article was primarily due to non-human actions. The cyber-attack on Interserve was initiated through a phishing email that an employee downloaded, leading to the compromise of systems and accounts [133673]. Additionally, the attack was facilitated by the failure of Interserve's system to stop the phishing email and the subsequent lack of proper investigation of the anti-virus alert, which allowed the attackers to uninstall the anti-virus system and encrypt employees' information [133673]. These actions were not directly caused by human intent but rather by vulnerabilities in the system and processes.
Dimension (Hardware/Software) software (a) The software failure incident in the article was not directly attributed to hardware issues. Instead, it was primarily due to software-related factors such as the failure to prevent a cyber-attack, outdated software systems and protocols, lack of adequate staff training, insufficient risk assessments, and the failure to properly investigate anti-virus alerts [133673].
Objective (Malicious/Non-malicious) malicious, non-malicious (a) The software failure incident in Article 133673 was malicious. The failure occurred due to a cyber-attack where hackers stole personal and financial information of up to 113,000 employees of the construction group Interserve. The attack was enabled by a phishing email that an employee downloaded, leading to the compromise of systems and accounts, encryption of employee information, and disruption of operations. The attackers exploited vulnerabilities in Interserve's systems and protocols, indicating a deliberate intent to harm the company and its employees [133673]. (b) The software failure incident in Article 133673 was also non-malicious to some extent. The failure was attributed to Interserve's inadequate measures to prevent the cyber-attack, such as using outdated software systems, lack of staff training, and insufficient risk assessments. The failure to properly investigate an anti-virus alert and address the phishing email indicated a lack of proactive security measures and response protocols within the company. These non-malicious factors contributed to the success of the malicious cyber-attack [133673].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident at Interserve was primarily due to poor decisions made by the company. The Information Commissioner's Office (ICO) fined Interserve £4.4m for breaking data protection law because the company failed to put appropriate measures in place to prevent the cyber-attack, which happened two years ago. The ICO highlighted that Interserve used outdated software systems and protocols, had a lack of adequate staff training, and insufficient risk assessments, which contributed to the breach [133673].
Capability (Incompetence/Accidental) development_incompetence (a) The software failure incident in the article was primarily due to development incompetence. The incident occurred because Interserve Group failed to put appropriate measures in place to prevent the cyber-attack, which led to the compromise of personal and financial information of up to 113,000 employees [133673]. The company's system failed to stop a phishing email that an employee downloaded, and a subsequent anti-virus alert was not properly investigated. Additionally, Interserve used outdated software systems and protocols, lacked adequate staff training, and had insufficient risk assessments, all of which contributed to the breach [133673].
Duration temporary The software failure incident at Interserve due to the cyber-attack was temporary. It was caused by specific contributing factors introduced by certain circumstances, such as the failure to prevent the phishing email, inadequate investigation of the anti-virus alert, and the compromise of systems and accounts [133673].
Behaviour crash (a) crash: The software failure incident in the article can be categorized as a crash. The incident led to the compromise of 283 systems and 16 accounts, uninstallation of Interserve’s anti-virus system, and encryption of all current and former employees’ information, indicating a failure of the system losing state and not performing its intended functions [133673].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Interserve led to hackers stealing the personal and financial information of up to 113,000 employees, including bank account details, national insurance numbers, ethnic origin, sexual orientation, and religion. This breach left the employees vulnerable to identity theft and financial fraud [Article 133673].
Domain information, construction (a) The failed system was intended to support the industry of information. The software failure incident involved a cyber-attack on the construction group Interserve, resulting in the theft of personal and financial information of up to 113,000 employees [Article 133673].

Sources

Back to List