“On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee,” an Ofcom spokesman told The Guardian. “This was a breach of the former employee’s statutory duty under the Communications Act and a breach of the contract with Ofcom.”
According to the newspaper, the former employee may have stolen as much as six years of potentially sensitive data provided to the regulator by TV companies and offered it to the new employer. Senior management at the new employer apparently then alerted Ofcom.
“Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner,” the spokesman said. “The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties.”
FinalCode COO Scott Gordon told eSecurity Planet by email that the Ofcom breach demonstrates how important it is to secure sensitive information at the file level. “The idea that one malicious or disgruntled employee can damage your business by accessing sensitive data is frightening – but it’s a valid concern that should be addressed through proper file security measures,” he said.
According to Skyhigh Networks’ Cloud Adoption & Risk Report for Q4 2015, 89.6 percent of organizations experience at least one insider threat each month, up from 85 percent of organizations in Q4 2014. The average organization experiences 9.3 insider threats each month.
The 2015 Clearswift Insider Threat Index found that 72 percent of security professionals believe their board doesn’t treat internal security threats with the same level of importance as external security threats. Still, 40 percent of companies expect to experience a data breach resulting from employee behavior in the next 12 months.
And the SANS 2015 Survey on Insider Threats found that while 74 percent of 772 IT security professionals surveyed said they’re concerned about insider threats, 32 percent said they have no ability to prevent an insider breach.
While 69 percent of respondents to the SANS survey have an incident response plan in place, more than half of those respondents said the plan has no special provisions for insider threats.