By Jess Pembroke, Director of Information Law Services
The recent incident at the British Museum, where a former employee allegedly shut down the museum’s IT systems, highlights the critical need for robust access controls and effective management of starters, leavers, and physical access.
Former employees can pose significant risks to organisations. Disgruntled ex-employees may seek revenge through malicious activities like data theft, system sabotage, or leaking sensitive information. If access credentials are not promptly revoked, they can still access systems and data, leading to unauthorised access and potential security incidents. Ex-employees might also take proprietary information to competitors, causing financial and reputational damage. Retained access can disrupt business operations by deleting or corrupting data, leading to downtime and loss of productivity. Even if not malicious, former employees can pose risks; failure to manage access controls properly can also lead to non-compliance with regulations like GDPR, resulting in fines and legal repercussions.
The Incident
On 25 January 2025, the British Museum, one of the UK’s most popular tourist attractions, was partially closed after a dismissed IT contractor allegedly broke into the building and shut down several of its systems[i][1]. This breach not only disrupted operations but also exposed vulnerabilities in the museum’s access control protocols. Notably, the contractor had been dismissed the week prior, raising serious questions about why they still had physical and technical access within the museum’s systems.
Importance of Starters and Leavers Processes
Effective management of starters and leavers is crucial in maintaining organisational security:
- Joiners: New employees should be onboarded with the necessary access rights and credentials. This includes training on security policies and physical access protocols to ensure they understand their responsibilities from day one.
- Movers: As employees change roles, their access permissions must be updated to reflect their new responsibilities. Regular reviews ensure that access remains appropriate and minimises the risk of unauthorised entry.
- Leavers: When employees leave, their access must be revoked immediately. This includes deactivating digital accounts and retrieving physical access credentials to prevent any potential misuse.
Physical Access Controls
Physical access controls are equally important. This is especially true in an institution such as this, which houses invaluable artefacts like the Rosetta Stone, the Parthenon sculptures, and Egyptian mummies.
Security controls include measures such as ID badges, key cards, and biometric systems to restrict entry to authorised personnel only. Regular audits and updates to access permissions help maintain security and prevent unauthorised access.
Potential Data Breach Implications
Although there have been no suggestions of a personal data breach in this incident (at this stage), the potential impact of such a breach could have been severe. A data breach could have compromised sensitive information about the museum’s operations, employees, and visitors. This could lead to identity theft, financial loss, and further reputational damage. The museum would also face increased scrutiny from regulatory bodies and potentially fines under GDPR.
A breach can severely damage an organisation’s reputation, leading to loss of trust and potential commercial opportunities. It can also disrupt business operations, causing downtime and reduced productivity. For example, security incidents like the partial closure of the British Museum affected its ability to serve visitors and generate revenue. While this was a physical security issue rather than a data breach, it highlights the broader financial and operational risks organisations face when their security is compromised. Data breaches, in particular, can result in the theft of sensitive information and intellectual property, creating long-term financial implications.
Potential Breach of Computer Misuse Act
While there is no specific mention of prosecution under the Computer Misuse Act at this stage, it is possible that charges could be brought against this ex-contractor, given the nature of the offence. The Computer Misuse Act 1990 is designed to protect computer systems from unauthorised access and damage. If the investigation finds that the contractor’s actions meet the criteria for offences under this Act, such as unauthorised access with intent to commit further offences or unauthorised acts with intent to impair the operation of a computer, they could face prosecution under this law.
Conclusion
The British Museum incident underscores the importance of robust access controls and effective management of starters, leavers, and physical access. Organisations must prioritise these measures to safeguard their assets, maintain operational integrity, and protect their reputation. By doing so, they can mitigate the broader costs associated with data breaches and ensure a secure environment for their employees and customers.
If your organisation would benefit from a refresh on data protection practices, please join our course “Data Protection Essentials: An Introduction 10 & 11 Feb 2025 – 9:30am-1pm Tickets, Mon 10 Feb 2025 at 09:30 | Eventbrite”. For more information please go to our Eventbrite page or contact our Training Manager at info@naomikorn.com.
[i] British Museum hit by alleged IT attack by ex-worker – BBC News