Cyber Incident Victim: Interserve
Date:
May 2020
Location:
United Kingdom
Summary
A UK defense contractor and Ministry of Defence service provider suffered a cyberattack compromising up to 100,000 current and former employee records. Attackers accessed sensitive personal and financial data including bank details, payroll information, next of kin contacts, HR files, absence records, and pension data. The breach disrupted some operational services, prompting collaboration with national cybersecurity authorities and regulators to investigate and mitigate the incident. The organization, which also supported healthcare infrastructure during the pandemic, confirmed ongoing remediation efforts while maintaining critical service delivery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around May 9, 2020, Interserve, a United Kingdom-based defense contractor supporting the Ministry of Defence across 35 sites and involved in constructing the Birmingham Nightingale Hospital during the COVID-19 pandemic, experienced a cybersecurity breach. Attackers infiltrated the company’s human resources database, exfiltrating sensitive information belonging to current and former employees. The compromised data encompassed names, addresses, bank account details, payroll records, next of kin information, HR files, dates of absences, and pension-related data. While Interserve employed approximately 53,000 individuals at the time, the breach potentially impacted up to 100,000 people due to the inclusion of historical employee records. The intrusion was detected shortly after it occurred, with the company initiating incident response procedures over the same weekend. Interserve promptly engaged the UK’s National Cyber Security Centre (NCSC) and specialized Strategic Incident Response teams to investigate the scope of the compromise, contain further unauthorized access, and implement remedial measures.
Interserve formally notified the Information Commissioner’s Office (ICO) of the personal data exposure in compliance with regulatory obligations, though the specific attack vector and identity of the threat actors remained undisclosed. The company acknowledged that investigative and remediation efforts would require extended timeframes, potentially disrupting operational services across its contracts, including those supporting critical national infrastructure and healthcare initiatives. Public confirmation of the incident occurred through a May 13 press release and media reports, which cited internal sources confirming the theft of employee records. Interserve did not publicly verify the exact number of affected individuals beyond acknowledging the potential 100,000-record exposure estimate, nor did it disclose evidence of data misuse. The breach highlighted risks to supply chain security given Interserve’s role as a government contractor handling sensitive employee data across defense, healthcare, and public service sectors during a period of heightened operational demands.