Media regulator Ofcom, the media regulator, has suffered the biggest breach in its history involving the misuse of data that was downloaded by an employee before leaving the company.
The former employee offered a large amount of sensitive information to his new employee, a major broadcaster.
The media regulator has sent out letters to dozens of TV companies that hold an Ofcom licence to broadcast in the UK explaining the data breach.
“On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee,” said a spokesman for Ofcom. “This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom.”
One person with knowledge of the letter said that the incident involved the former Ofcom staffer downloading data – possibly as much as six years of data provided by TV broadcasters to the regulator – before leaving the company.
That information was then at some point offered to the ex-staffer’s new employer, known to be a TV broadcaster, potentially to give insight and a competitive edge over rivals.
It is understood that senior management at the broadcaster did not exploit the information, but instead alerted Ofcom.
“Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner,” said the spokesman. “The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties.”
David Gibson, VP of strategy and market development at Varonis, said: “A vast number of data breaches are due to insiders, malicious or otherwise. The root of the problem is that most employees have access to far more information than they need to do their jobs, their data activities are not monitored or analysed for malicious behaviour. This is especially true for unstructured data – the largest, fastest growing kind of data that often contains an organisation’s intellectual property, financial records, and other important content. As a result, low-level workers can access and make off with highly sensitive information, often without anyone knowing.
“To make matters worse, outsider attackers often hijack employee or contractor credentials and then have the same free access as insiders. Organisations have to start doing a better job of tracking and analysing how users use data, profiling their roles and behaviours, mapping and reducing unwanted access, discovering sensitive data and locking it down or moving it out of harm’s way.”