News: No company should underestimate the insider threat.
A former Ofcom employee has given a large amount of sensitive data about various TV companies to his new employer, a major broadcaster, in what is shaping up to be the biggest data breach in Ofcom’s history.
A spokesperson for the media regulator told the Guardian, "On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee. This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom."
According to sources cited by the Guardian, the data breach involved an ex-employee downloading as much as six years of data provided by TV broadcasters to the regulator. After leaving Ofcom, the former employee reportedly offered the data to his or her new employer, said to be a major TV broadcaster. However, instead of exploiting the data, the broadcaster instead alerted Ofcom to the stolen information.
The spokesman for Ofcom said: "Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner. The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties."
This major data breach has highlighted the insider threat facing businesses which collect and store sensitive data. Ross Brewer, VP and MD of EMEA at LogRhythm, said: "This is a perfect example of how a breach isn’t always a high-tech hack. Sometimes the culprit really can be someone who sits next to you at work, and not the anonymous, faceless, perpetrator that has become synonymous with modern-day cybercrime.
"Companies need to be aware that when sensitive information is readily available amongst employees, there is the possibility for anyone to abuse their trusted position. Worryingly for Ofcom, this particular individual was able to download up to six years of information before leaving the company.
"Companies like Ofcom hold huge quantities of confidential data and this will no doubt be a big wake-up call for the communications regulator. A big problem is that many businesses use the majority of their resources fighting the external threat, often underestimating the impact that the insider threat can have. However, as Ofcom will likely discover, employees can pose a very real threat to a company’s reputation."