UK media regulator Ofcom has suffered one of the biggest security breaches in its history after it emerged that a former employee offered as much as six years' worth of sensitive internal data to his new employee, a major broadcaster.
The incident has led to the watchdog sending out dozens of letters to TV companies holding an Ofcom licence about the data breach.
According to reports by the Guardian, the regulator was alerted to the problem by senior executives working for the broadcaster after the new employee offered his new employer this information.
The spokesman for Ofcom said: “On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee. This was a breach of the former employee's statutory duty under the communications act and a breach of the contract with Ofcom.”
"Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner. The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties," the spokesman added.
As the breach doesn't involved personal information, Ofcom doesn't need to notify the Information Commissioner's Office, however it is understood that it has been informed. The data is thought to contain details of business plans submitted by broadcasters during consultations with Ofcom.
“This is a perfect example of how a breach isn't always a high-tech hack. Sometimes the culprit really can be someone who sits next to you at work, and not the anonymous, faceless, perpetrator that has become synonymous with modern-day cybercrime," said European head of security intelligence firm LogRhythm, Ross Brewer.
"Companies need to be aware that when sensitive information is readily available amongst employees, there is the possibility for anyone to abuse their trusted position."
Louise Bulman, vice president and general manager, EMEA at Vormetric, told SCMagazineUK.com that Ofcom is just one of many businesses to be affected by the ‘insider threat', involving the inappropriate or unauthorised access and theft of confidential company data, an aspect of security which organisations are continuing to find difficult to address.
The incident is a perfect example of how firms struggle to protect their data resources from those already legitimately ‘inside the fence'. It is often a case of ineffective management of ‘privileged' users on corporate networks that causes this type of data breach incident. Every organisation will have employees or contractors who have far-reaching, privileged, computer network access rights – and it is how these users are controlled and secured that is often a weak link in the data security framework,” she said.
“The question therefore needs to be asked, why do so many organisations still have such inadequate policies in light of recent insider threat headlines and incidents worldwide? It has been three years since Edward Snowden brought the reality of these risks to light yet organisations are still reeling from the effects of insider threat. Have no lessons been learned?
David Gibson, vice president of strategy and market development at Varonis, told SCMagazineUK.com that the root of the problem is that most employees have access to far more information than they need to do their jobs, their data activities are not monitored or analysed for malicious behaviour.
“This is especially true for unstructured data – the largest, fastest growing kind of data that often contains an organisation's intellectual property, financial records, and other important content. As a result, low-level workers can access and make off with highly sensitive information, often without anyone knowing.”