Ordnance Survey Breach Hits Employee Data

Written by

UK mapping agency Ordnance Survey has suffered a security breach leading to the compromise of data on 1000 employees, according to reports.

The government body is said to have discovered the incursion and immediately remediated the problem back in January. However, while staff and privacy watchdog the Information Commissioner’s Office (ICO) were informed, it has taken until now for the incident to go public.

It’s unclear when the breach happened, but the attacker is thought to have compromised the CFO’s email account via a phishing attack, exfiltrating payroll files, according to Verdict.

In a statement sent to the title, Ordnance Survey clarified that no customer information was compromised and its own systems remain unaffected.

“During IT security checks we identified a data breach which targeted an Ordnance Survey email account. We immediately took action and implemented a number of measures including informing the ICO,” it continued.

“Investigations have identified that some employee information has been potentially compromised. We are working with all affected employees providing advice and guidance on personal information security. As a precaution employees have been offered access to an identity fraud protection scheme.”

The ICO has confirmed that the remedial steps taken by Ordnance Survey following the incident are sufficient and it will be taking no further action.

Ashley Hurst, partner at law firm Osborne Clarke, argued that employees are still falling for phishing attacks, despite awareness-raising campaigns.

“Gone are the days where the phishing emails are riddled with typos and made from random email addresses. They are becoming increasingly difficult to spot, especially on mobile. Links can be hidden causing employees to click on them,” he added.

“A golden rule is never to type in a username or password at the request of an email unless you are 100% sure that the request is legitimate. Well-known brands simply don't make these request by email.”

What’s hot on Infosecurity Magazine?