Ordnance Survey hacked, exposing 1,000 employees’ data

Article by Robert Scammell – Verdict

A hacker stole the personal data of 1,000 employees of the Ordnance Survey, the government-owned mapping agency for Britain, Verdict can reveal.

The agency, which produces digital and paper maps for businesses and consumers, confirmed the breach to Verdict but was unable to go into detail about the type of personal details that were compromised.

An Ordnance Survey spokesperson said that fewer than five employees had their bank details “potentially” compromised.

The Ordnance Survey discovered the breach during IT checks in January this year, closing it immediately after discovery. Ordnance Survey did not disclose when the breach started. Staff have been notified, with Ordnance Survey providing access to identity fraud protection services to its employees.

The agency said the breach “most likely resulted from a phishing attack targeting email”. Phishing emails see cybercriminals send genuine-looking emails in an attempt to solicit personal information or induce the victim to click on a harmful link.

Verdict understands that the hacker compromised the Ordnance Survey email account of its chief financial officer to send payroll files to an external email address. However, the Ordnance Survey spokesperson was unable to confirm or deny this.

No customer data was affected, the spokesperson added.

Ordnance Survey hacked: No systems targeted

In a statement, the Ordnance Survey said:

“During IT security checks we identified a data breach which targeted an Ordnance Survey email account. We immediately took action and implemented a number of measures including informing the Information Commissioners Office (ICO). The ICO confirmed that they intend to take no further action in relation to the data breach.

“Investigations have identified that some employee information has been potentially compromised. We are working with all affected employees providing advice and guidance on personal information security. As a precaution employees have been offered access to an identity fraud protection scheme.

“We have no evidence to believe that any customer information has been compromised or that any OS systems were targeted.”

An ICO spokesperson said:

“The Ordnance Survey made us aware of an incident. After looking at the details and the remedial actions Ordnance Survey undertook, we provided the organisation with advice and concluded no further action was necessary.”

It is unknown who was responsible for the hack, or what happened to the stolen data.

“On the face of it this seems to have been handled well,” said Malcolm Taylor, director of cybersecurity at security consultancy ITC Secure. “The relevant authorities have been informed, and staff have been kept informed and offered help to manage their identity risks; a reminder that security is also about the response, and that the ICO also look at how an organisation responds should a breach occur.”

Jake Moore, cybersecurity specialist at cybersecurity firm ESET, said: “We all like to think that we’re not susceptible to social engineering or manipulation, but the truth is that even intelligent, self-aware people still get caught up in online scams that can have very damaging consequences.

“Many people will even admit they don’t click on phishing emails, but what if they are only the emails that they know to be scams? Some may still slip through the net without realisation and as seen here, can have serious effects.”

Taylor added: “Training needs to reach from the top to the bottom of an organisation. We see too many companies who train their staff but not their seniors, or where seniors are too busy to commit to attending training. Targeted email attacks are out there, are aimed at seniors, and without training and security services they succeed.”

Ordnance Survey has been a government-owned company since 2015, with its board accountable to the Secretary of State for Business, Energy and Industrial Strategy.

A Freedom of Information request made in 2016 showed that Ordnance Survey suffered one breach between 2014 and 2015, with a further eight security incidents where data was not lost.