Ofcom suffers major security breach
Ex-employee offered sensitive data to major broadcaster
Ofcom has had the biggest security breach in its history after an ex-employee was caught offering confidential data on TV companies to his new employee, a major broadcaster.
The incident forced the media watchdog to send out dozens of letters explaining the breach to TV companies holding an Ofcom licence. It is believed the former employee managed to download as much as six years’ worth of data, according to the Guardian.
In a statement, an Ofcom spokeswoman said: “On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee. This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom.
“Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner. The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties.”
It is believed that Ofcom was informed of the breach by senior executives at the unnamed broadcaster. The broadcaster is not thought to have exploited the data, which would have been quite useful from a competitive standpoint.
As no personal data was involved, it is not compulsory for the Information Commissioner’s Office (ICO) to be notified, although it is understood that Ofcom informed the watchdog of the incident anyway.
Mark Bower, global director of product management at HPE Security - Data Security, said the event illustrates that even with a strong network perimeter in place, it just is not enough.
“Perimeter security is similar to a fence around a house. However, what if someone inside the house is the thief? Today it’s imperative that organisations adopt a data-centric security approach that defends the data itself, typically by encryption or tokenisation.
“This ensures that no matter where the data resides if a hacker gets it, or in this case, an employee who is granted legitimate access, the data is protected and isn’t useful. This ability to render data useless if lost or stolen is an essential benefit to ensure data remains secure.”
David Gibson, VP of strategy and market development at Varonis, said that low-level workers can access and make off with highly sensitive information, often without anyone knowing.
“To make matters worse, outsider attackers often hijack employee or contractor credentials and then have the same free access as insiders. Organisations have to start doing a better job of tracking and analysing how users use data, profiling their roles and behaviours, mapping and reducing unwanted access, discovering sensitive data and locking it down or moving it out of harm’s way,” he said.