Brian Jackson - Fotolia

Ofcom data breach highlights insider threat

That a former employee of communications regulator Ofcom stole data should act as a warning about the insider threat in every organisation, say experts

UK communications regulator Ofcom has revealed that a former employee offered stolen – commercially sensitive – information to his new employer, highlighting the insider threat

The man’s new employer, a major broadcaster, declined the offer and alerted Ofcom that its former employee had downloaded up to six years’ worth of data while still at the regulator, according to the Guardian.

The data had been provided by TV broadcasters to Ofcom and could have been used by rivals to gain a competitive edge.

Ofcom has alerted all the TV companies that were affected by the breach – the biggest known breach in the regulator’s history.

“This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom,” the regulator said in a statement.

“Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner,” the regulator said, adding that the extent of the disclosure had been “limited” and “contained”.

Secuity industry commentators say the breach underlines the need for organisations to take seriously the threat of insiders wittingly or unwittingly leaking commercially sensitive data.

“Spotting cyber security incidents that arise from within a company can be particularly tricky, as the perpetrator may have legitimate access to sensitive data,” said Luke Brown, vice-president and general manager for Europe at security firm Digital Guardian.

“This breach shows that regardless of any defensive perimeter security, without taking steps to secure the data itself organisations can still fall victim of a significant data breach.”

Read more about the insider threat

Measures to contain misuse

According to Brown, one answer is data-aware security technology which, in the case of Ofcom, could have prevented – or, at the very least, recorded – the employee downloading and copying sensitive data without approval or permission.

“This news should act as a warning to other businesses that they must start taking the problem of the ‘insider threat’ seriously,” he said.

Christine Andrews, managing director of governance, risk and compliance firm DQM GRC, said this type of data leakage is an extremely common and serious threat to businesses.

Andrews said research has shown that a quarter of employees would sell private company data and risk both their job and a criminal conviction for just £5,000.

“High-profile, targeted attacks – such as TalkTalk and Sony Pictures – generate fear in businesses from external hacking attempts; but, in this day and age, businesses need to be wary of both those on the inside as well as on the outside,” she said.  

Data watermarking

However, Andrews said there are ways companies can keep an eye on their confidential information – even when it has left the building.

Data watermarking allows you to add unique tracking records, known as seeds, into your database. These monitor how your data is used outside your organisation's direct control.

“The service works for e-mail, physical mail, landline and mobile telephone calls and is designed to build you a detailed picture of the real use of your data,” she said.

Recent research by both government and private industry has highlighted the main weaknesses that make organisations vulnerable to insider attacks.

These include: poor management practices, poor use of auditing functions, a lack of protective security controls, a lack of role-based security risk assessments, inadequate corporate governance and a poor security culture.

There are five key areas that organisations need to address to reduce the risk insider threats, according to Peter Wood, chief executive of security firm First Base Technologies.

These are: staff vetting, education, protective controls, detective controls and security testing.

Read more on Privacy and data protection