Spotlight on staff security risks as data watchdog probes C&W breach

The Information Commissioner's Office (ICO) has begun an investigation into a security breach at Cable & Wireless which led to confidential customer details becoming public.

The telecoms company said customer details from its former subsidiary Bulldog Broadband were leaked from a company laptop taken on a business trip to Pakistan in 2005. The employee who was using the laptop was later sacked for not returning from the trip as planned. She denies stealing the data.

The incident has highlighted the need for organisations to secure their data, not only from external attacks, but from risks posed by the actions of employees.

A BBC Newsnight investigation found that customer details had been used by call centres abroad to approach Bulldog customers and obtain credit card details. Cable & Wireless and current Bulldog owner Pipex have issued a High Court injunction requiring the former employee and call centres to cease using the data.

The ICO said it had received a response from Cable & Wireless last month explaining how the breach occurred and would begin a dialogue with the company in the coming weeks to ensure that it does not happen again.

Analysts advised organisations to assess the risks to their confidential data in the light of the incident.

"Security must be able to manage both illegal access to data and legitimate access being used for unauthorised purposes. This requires assessing technical and organisational risks with equal weight," said Thomas Raschke, senior analyst at Forrester Research.

Gartner vice-president Avivah Litan said that, as part of an overall security policy, companies should engage in practices such as employee screening and data access management to prevent staff selling sensitive customer data

Cable & Wireless said it had reviewed its data protection policies and there was no evidence that any customer credit card details had been misused as a result of the breach. The operator said the breach had nothing to do with its own use of outsourced call centres.

"We believe that the steps that we have taken against the individual and companies concerned have led to the destruction of all copies of the Bulldog customer data they may have held," it said in a statement.

Pipex said it was not aware of any customers being defrauded as a result of the incident.

The former C&W employee told the BBC in an e-mail, "I do not have any part of the Bulldog database."

Stolen Bulldog database used to defraud customers

Computacenter buys C&W networking arm

Council targets 25% saving by switching to C&W VPN

David Lacey's security blog >>