This week, a major Isle of Man telecoms provider found itself dealing with two separate security incidents — a data breach affecting customers, and the conclusion of a long-running employee theft case. Neither involved sophisticated hackers or nation-state attackers. Both offer important lessons for every business on the island.
Incident One: The “Simple” Data Breach
The first incident was almost mundane: reminder letters were sent to the wrong addresses. A small number of customers had their name, account number, and outstanding balance shared with unintended recipients.
No passwords. No bank details. No sensitive security information. The company described it as an “isolated operational error, not a systemic data breach.”
And yet, it still triggered an Information Commissioner notification and an assessment of the breach’s scale.
The lesson: Data breaches don’t require hackers. A misfiled spreadsheet, an incorrectly addressed letter, or a CC instead of BCC on an email can all constitute reportable breaches under data protection law. If personal data ends up somewhere it shouldn’t, you have a potential breach on your hands — regardless of how it happened.
Incident Two: Three Years of Insider Theft
The second incident was more serious. An employee had been stealing from the company for nearly three years — from late 2021 through to November 2024. The total value: over £50,000 worth of phone handsets and other goods, some of which were sold on.
The individual pleaded guilty and awaits sentencing next month.
The lesson: Insider threats are real, and they can go undetected for years. This wasn’t a smash-and-grab; it was a sustained pattern of theft that evaded detection across multiple financial years.
Why This Matters for Isle of Man Businesses
It’s tempting to think “that couldn’t happen here” — especially on an island where business relationships are often personal, and trust runs deep. But that same trust can be a vulnerability.
Consider:
- Do you have inventory controls that would flag missing stock within days, not years?
- Are financial reconciliations performed frequently enough to catch discrepancies early?
- Do you have separation of duties so that no single person controls ordering, receiving, and accounting for goods?
- Are your data handling processes documented and followed consistently?
- Would you know if a staff member emailed a customer list to their personal address?
Most small and medium businesses don’t have dedicated security teams. That’s understandable. But basic controls don’t require enterprise budgets — they require attention.
Practical Steps You Can Take This Week
For data handling:
- Review who has access to customer data and whether they still need it
- Check your processes for bulk communications — is there a second pair of eyes before sending?
- Make sure your team knows what constitutes a data breach and how to report one internally
For insider threat protection:
- Implement basic inventory checks — even quarterly counts are better than annual
- Review user access permissions (especially for departing staff)
- Enable audit logging on critical systems so you have a trail if something goes wrong
- Consider whether your insurance covers employee theft (many standard policies don’t)
For both:
- Document your processes. If it’s not written down, it doesn’t exist
- Train your team. Most incidents stem from people not knowing what they should do
The Bottom Line
These two incidents at one local company serve as a reminder: security isn’t just about firewalls and passwords. It’s about processes, controls, and culture.
The telecoms provider will recover — they’re a large, established business with resources to manage the fallout. For smaller Isle of Man businesses, a similar pair of incidents could be far more damaging.
Take an hour this week to review your own controls. It’s cheaper than the alternative.