Student Loans Company Dismissals Highlight Insider Risk

Over 20 staffers at the Student Loans Company (SLC) have faced disciplinary action for computer misuse and other offenses, including three former employees who were fired, according to new Freedom of Information (FoI) data.

Litigation firm Griffin Law revealed the findings of its FoI requests to the non-profit, which is owned by the UK government’s Department for Education and is responsible for administering loans and grants to students.

While several of the 23 offenses related to excessive internet use during work time, one of which resulted in dismissal, several involved the culprits accessing the accounts of friends and family members.

That resulted in one dismissal in 2019, and this year one individual on a final written warning and another suspended pending an investigation.

Many of the other offenses related to inappropriate use of social media or the sharing of inappropriate content via email.

Several offenders used offensive or aggressive language targeting colleagues on Facebook, while one was fired in 2018 after sharing content on the social network linking a colleague to criminal activity. That was judged to have potentially brought the SLC into disrepute.

On one occasion in 2020, a former SLC employee was sacked after sharing inappropriate and offensive material on Microsoft Teams, according to Griffin Law.

An SLC spokesperson got in touch with Infosecurity seeking to put the findings into context.

“At SLC we have robust policies and procedures in place to ensure that colleagues use technology appropriately, to identify instances of unacceptable behaviour and to take action when required,” they said in a statement. “We employ over 3000 colleagues and as the data rightly demonstrates there have been very few instances over the past four years where action was required.”  

Torsten George, a cyber evangelist at Absolute Software, argued that the FoI data highlights the risk of malicious insiders accessing and potentially stealing sensitive customer information.

“The risk of SLC employees walking away with sensitive data or selling their access credentials has never been greater now that a record number of individuals have been made redundant and face financial hardship due to COVID-19,” he added.

“All too often, large organizations like the SLC are aware of the challenges related to external threat actors, and they, therefore, focus their efforts on creating deterrents to protect against these cyberattacks. In doing so, they often overlook the fact that the biggest threats can arise from within.”

What’s Hot on Infosecurity Magazine?