Ofcom suffers major security breach

Ex-employee offered sensitive data to major broadcaster

Ofcom has had the biggest security breach in its history after an ex-employee was caught offering confidential data on TV companies to his new employee, a major broadcaster.

The incident forced the media watchdog to send out dozens of letters explaining the breach to TV companies holding an Ofcom licence. It is believed the former employee managed to download as much as six years' worth of data, according to the Guardian.

In a statement, an Ofcom spokeswoman said: "On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee. This was a breach of the former employee's statutory duty under the Communications Act and a breach of the contract with Ofcom.

"Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner. The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

It is believed that Ofcom was informed of the breach by senior executives at the unnamed broadcaster. The broadcaster is not thought to have exploited the data, which would have been quite useful from a competitive standpoint.

As no personal data was involved, it is not compulsory for the Information Commissioner's Office (ICO) to be notified, although it is understood that Ofcom informed the watchdog of the incident anyway.

Mark Bower, global director of product management at HPE Security - Data Security, said the event illustrates that even with a strong network perimeter in place, it just is not enough.

"Perimeter security is similar to a fence around a house. However, what if someone inside the house is the thief? Today it's imperative that organisations adopt a data-centric security approach that defends the data itself, typically by encryption or tokenisation.

"This ensures that no matter where the data resides if a hacker gets it, or in this case, an employee who is granted legitimate access, the data is protected and isn't useful. This ability to render data useless if lost or stolen is an essential benefit to ensure data remains secure."

David Gibson, VP of strategy and market development at Varonis, said that low-level workers can access and make off with highly sensitive information, often without anyone knowing.

Advertisement - Article continues below

"To make matters worse, outsider attackers often hijack employee or contractor credentials and then have the same free access as insiders. Organisations have to start doing a better job of tracking and analysing how users use data, profiling their roles and behaviours, mapping and reducing unwanted access, discovering sensitive data and locking it down or moving it out of harm's way," he said.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020