The Information Commissioner's Office (ICO) has begun an
investigation into a security breach at Cable & Wireless which
led to confidential customer details becoming public.
The telecoms company said
customer details from its former subsidiary Bulldog Broadband were
leaked from a company laptop taken on a business trip to
Pakistan in 2005. The employee who was using the laptop was later
sacked for not returning from the trip as planned. She denies
stealing the data.
The incident has highlighted the need for organisations to
secure their data, not only from external attacks, but from risks
posed by the actions of employees.
A
BBC Newsnight investigation found that customer details had
been used by call centres abroad to approach Bulldog customers and
obtain credit card details. Cable & Wireless and current
Bulldog owner Pipex have issued a High Court injunction requiring
the former employee and call centres to cease using the data.
The ICO said it had received a response from Cable &
Wireless last month explaining how the breach occurred and would
begin a dialogue with the company in the coming weeks to ensure
that it does not happen again.
Analysts advised organisations to assess the risks to their
confidential data in the light of the incident.
"Security must be able to manage both illegal access to data and
legitimate access being used for unauthorised purposes. This
requires assessing technical and organisational risks with equal
weight," said Thomas Raschke, senior analyst at Forrester
Research.
Gartner vice-president Avivah Litan said that, as part of an
overall security policy, companies should engage in practices such
as employee screening and data access management to prevent staff
selling sensitive customer data
Cable & Wireless said it had reviewed its data protection
policies and there was no evidence that any customer credit card
details had been misused as a result of the breach. The operator
said the breach had nothing to do with its own use of outsourced
call centres.
"We believe that the steps that we have taken against the
individual and companies concerned have led to the destruction of
all copies of the Bulldog customer data they may have held," it
said in a statement.
Pipex said it was not aware of any customers being defrauded as
a result of the incident.
The former C&W employee told the BBC in an e-mail, "I do not
have any part of the Bulldog database."
Stolen Bulldog database used to defraud customers
Computacenter buys C&W networking arm
Council targets 25% saving by switching to C&W VPN
David Lacey's
security blog >>