Ofcom data breach: Industry reaction and analysis

Reports emerged yesterday that media regulator Ofcom suffered a mass data breach after a former employee leaked sensitive information on TV companies to a major broadcaster.

According to reports, the former Ofcom employee downloaded as much as six years worth of data before leaving the company, which was then offered to his/her new employee in an attempt to gain an advantage over the competition.

A statement from Ofcom said: “On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee,” said a spokesman for Ofcom. “This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom.”

“Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner,” said the spokesman. “The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties.”

Various industry professionals have offered their thoughts on the news.

Ross Brewer, VP and MD of EMEA at LogRhythm:

“This is a perfect example of how a breach isn’t always a high-tech hack. Sometimes the culprit really can be someone who sits next to you at work, and not the anonymous, faceless, perpetrator that has become synonymous with modern-day cybercrime. Companies need to be aware that when sensitive information is readily available amongst employees, there is the possibility for anyone to abuse their trusted position.

“Companies like Ofcom hold huge quantities of confidential data and this will no doubt be a big wake-up call for the communications regulator. A big problem is that many businesses use the majority of their resources fighting the external threat, often underestimating the impact that the insider threat can have. However, as Ofcom will likely discover, employees can pose a very real threat to a company’s reputation.

“As well as having strict access control policies, it’s vital that businesses have full visibility of their network activity so they are aware of what is happening at all times. Indeed, by continuously monitoring the network, businesses can identify abnormal activity – such as downloading large batches of sensitive data – as soon as it occurs."

Louise Bulman, ‎Vice President & General Manager, EMEA at Vormetric:

“Ofcom is just one of many businesses to be affected by the ‘insider threat’, involving the inappropriate or unauthorised access and theft of confidential company data, an aspect of security which organisations are continuing to find difficult to address.

“The incident is a perfect example of how firms struggle to protect their data resources from those already legitimately ‘inside the fence’. It is often a case of ineffective management of ‘privileged’ users oncorporate networks that causes this type of data breach incident. Every organisation will have employees or contractors who have far reaching, privileged, computer network access rights – and it is how these users are controlled and secured that is often a weak link in the data security framework.

“Organisations, no matter what their size, need to adopt a layered ‘defence-in-depth’ approach using transparent encryption with access control to ensure that, no matter how or where information exists on systems, it remains secure. Furthermore, an ‘encrypt everything’ strategy reduces the damage that hackers can cause further, as it renders any stolen data illegible and virtually useless.”

David Gibson, VP of strategy and market development at Varonis:

“A vast number of data breaches are due to insiders, malicious or otherwise. The root of the problem is that most employees have access to far more information than they need to do their jobs, their data activities are not monitored or analysed for malicious behaviour. This is especially true for unstructured data – the largest, fastest growing kind of data that often contains an organisation’s intellectual property, financial records, and other important content.

"As a result, low-level workers can access and make off with highly sensitive information, often without anyone knowing. To make matters worse, outsider attackers often hijack employee or contractor credentials and then have the same free access as insiders. Organisations have to start doing a better job of tracking and analysing how users use data, profiling their roles and behaviours, mapping and reducing unwanted access, discovering sensitive data and locking it down or moving it out of harm’s way."

Christine Andrews, Managing Director of DQM GRC:

"The news brought to our attention that an ex-Ofcom employee has stolen a considerable amount of confidential corporate data in order to win favour with his new employer. Unfortunately, this is an incredibly common, and serious, threat to businesses today. According to research a quarter of employees would sell private company data and risk both their job and a criminal conviction for just £5,000.

"High profile targeted attacks, such as TalkTalk and Sony, generate fear in businesses from external hacking attempts, but in this day and age businesses need to be wary of both those on the inside as well as on the outside.

"The good news is that there are ways companies can keep an eye on their confidential information – even when it has left the building. Data Watermarking allows you to add unique tracking records (known as "seeds") into your database and then monitors how your data is being used - even when it has moved outside of your organisation's direct control. The service works for e-mail, physical mail, landline and mobile telephone calls and is designed to build you a detailed picture of the real use of your data."

Mark Bower, global director for product management at HPE Security:

"This event illustrates that even with a strong network perimeter in place, it just isn’t enough. Perimeter security is similar to a fence around a house. However, what if someone inside the house is the thief? Today it’s imperative that organisations adopt a data-centric security approach that defends the data itself, typically by encryption or tokenisation. This ensures that no matter where the data resides, if a hacker gets it, or in this case, an employee who is granted legitimate access, the data is protected and isn’t useful. This ability to render data useless if lost or stolen is an essential benefit to ensure data remains secure.

"The EU is introducing aggressive new data privacy laws under the General Data Protection Regulation (GDPR) that will force any breached organisation to pay substantial fines that are a percentage of revenues, issue notification within 72 hours and implement modern data security strategies like data-centric security as best practice.

"This major regulatory shift is a result of breaches like this, and the ineffective nature of traditional controls that are unsuited to today's data workflows, the extended enterprise, insider threats and advanced malware.

"Organisations have to be planning to meet GDPR now, and more critically, significantly reducing access to live data to minimise future threat impact."

Image source: Shutterstock/Andrea Danti