UK media regulator, Ofcom, is looking at the biggest data breach in its history, involving the misuse of data that was downloaded by an employee before leaving the company. It appears that the now ex-staff member stole as much as six years worth of data that Ofcom had received from TV broadcasters, before offering this data to his new employer, which, apparently, rejected it, and contacted Ofcom about the breach.
“On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee,” said a spokesman for Ofcom. “This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom.”
The watchdog added: “Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner. The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties.”
Commenting on this, David Gibson, VP of strategy and market development at Varonis, said “A vast number of data breaches are due to insiders, malicious or otherwise. The root of the problem is that most employees have access to far more information than they need to do their jobs, their data activities are not monitored or analysed for malicious behaviour. This is especially true for unstructured data – the largest, fastest growing kind of data that often contains an organisation’s intellectual property, financial records, and other important content. As a result, low-level workers can access and make off with highly sensitive information, often without anyone knowing. To make matters worse, outsider attackers often hijack employee or contractor credentials and then have the same free access as insiders. Organisations have to start doing a better job of tracking and analysing how users use data, profiling their roles and behaviours, mapping and reducing unwanted access, discovering sensitive data and locking it down or moving it out of harm’s way.”
Mark Bower, global director – product management at HPE Security – Data Security, added “This event illustrates that even with a strong network perimeter in place, it just isn’t enough. Perimeter security is similar to a fence around a house. However, what if someone inside the house is the thief? Today it’s imperative that organisations adopt a data-centric security approach that defends the data itself, typically by encryption or tokenization. This ensures that no matter where the data resides, if a hacker gets it, or in this case, an employee who is granted legitimate access, the data is protected and isn’t useful. This ability to render data useless if lost or stolen is an essential benefit to ensure data remains secure.
The EU is introducing aggressive new data privacy laws under the General Data Protection Regulation (GDPR) that will force any breached organisation to pay substantial fines that are a percentage of revenues, issue notification within 72 hours and implement modern data security strategies like data-centric security as best practice.
This major regulatory shift is a result of breaches like this, and the ineffective nature of traditional controls that are unsuited to today’s data workflows, the extended enterprise, insider threats and advanced malware. Organisations have to be planning to meet GDPR now, and more critically, significantly reducing access to live data to minimise future threat impact.”