An ex-Ofcom employee stole commercially sensitive data about the UK’s major TV broadcasters – and then offered it to one of them
Ofcom has admitted that a former employee stole data from the regulator exposing commercially sensitive information about the UK's biggest TV companies.
The ex-employee, having left Ofcom, joined one of those TV companies – and offered the information to their new employer, bringing the theft to light, City A.M understands.
Ofcom was made aware of the theft two weeks ago after the broadcaster alerted them to the matter. The rest of the industry was informed of the breach in a letter from the regulator in the following week.
“On 26 February we became aware of an incident involving the misuse of third-party data by a former Ofcom employee.This was a breach of the former employee’s statutory duty under the communications act and a breach of the contract with Ofcom,” a spokesperson said.
"As soon as we had established the facts of what happened, we promptly informed all parties who might have been affected.
“Ofcom takes the protection of data extremely seriously, and we are very disappointed that a former employee has chosen to act in this manner. The extent of the disclosure was limited and has been contained, and we have taken urgent steps to inform all parties.”
Ofcom does not hold personal information and therefore would not need to notify the Information Commissioners Office about the information leak, however, it's understood the data regulator has been informed.
Information held by Ofcom includes commercially sensitive information, for instance in-depth details of business plans by broadcasters submitted during consultations which is redacted from publication in Ofcom's reports..
The data leak is unusual in its low-tech means when more commonly private information is obtained via hacking into online systems or scams which persuade people to hand over security access.
“This is a perfect example of how a breach isn’t always a high-tech hack. Sometimes the culprit really can be someone who sits next to you at work, and not the anonymous, faceless, perpetrator that has become synonymous with modern-day cybercrime," said European head of security intelligence firm LogRhythm, Ross Brewer.
"Companies need to be aware that when sensitive information is readily available amongst employees, there is the possibility for anyone to abuse their trusted position."