A BBC journalist was recently approached by a cybercrime gang offering a share of a multimillion-pound ransom if he handed over his login details.
While he declined and documented the experience, the incident highlights the real and growing risk of insider threats in cyber security.
And the timing couldn’t be more relevant. With October marking Cyber Security Awareness Month, the BBC case serves as a real-world reminder that the biggest vulnerabilities often come from within – whether through coercion, manipulation, or simple mistakes.
How the Approach Worked
The reporter received a message on the encrypted app Signal from someone claiming to represent Medusa, a ransomware-as-a-service group. The offer was simple but alarming: hand over BBC login credentials and receive up to 25% of any ransom demand.
The criminals even attempted to pressure him with social engineering techniques, including:
- Escalating financial offers (“You’ll never need to work again”).
- Urgency and deadlines (“Do this by Monday midnight”).
- Technical intimidation – sending code to run and bombarding his phone with malicious two-factor authentication (MFA) prompts (known as “MFA bombing”).
This type of manipulation is designed to overwhelm targets and lower their resistance.
Insider Threats in Action
We recently wrote about Insider Threats: Protecting Your Business From the Inside Out – highlighting how employees, contractors, or partners can accidentally or deliberately expose businesses to major risk. The BBC case brings those risks into sharp focus.
While the journalist did the right thing by reporting the approach, had he acted differently, the consequences for both him and the organisation could have been severe. With valid credentials and insider access, attackers can bypass many security layers, making insider threats one of the most dangerous and difficult-to-detect attack vectors facing businesses today.
Legal Consequences for Would-Be Insiders
Had the journalist genuinely gone along with the offer, the legal consequences would have been severe under UK law. Potential charges include:
- Computer Misuse Act (1990)
- Unauthorised access to computer material (up to 2 years).
- Unauthorised access with intent to commit further offences (up to 5 years).
- Acts with intent to impair operation of a computer – ransomware falls here (up to 10 years).
- Serious damage cases (impacting national security or critical infrastructure) – maximum life imprisonment.
- Fraud Act (2006)
- Fraud by abuse of position – up to 10 years.
Realistically, even if no damage occurred, an insider enabling such an attack could expect a prison sentence of 5–8 years. If a real ransomware attack followed, that could rise to 10–20 years.
Lessons for Businesses
This case highlights some key takeaways for organisations of all sizes:
- Educate staff on insider risk. Employees need to know what these approaches look like – from LinkedIn messages to anonymous encrypted apps.
- Deploy layered access controls. No single employee should hold the keys to critical systems.
- Implement MFA resilience. Configure MFA to detect and block “push fatigue” or MFA bombing attacks.
- Encourage reporting. Staff should feel safe escalating unusual approaches, just as the BBC journalist did.
- Monitor for unusual behaviour. Security tools that flag credential misuse or unusual login patterns can catch insider-enabled breaches early.
Final Thought
This story wasn’t just about one journalist – it’s a warning to every business. Insider threats don’t always come from disloyal employees; sometimes, they come from external manipulation, coercion, or simple mistakes.
A proactive, security-first culture and strong technical safeguards remain the best defence. As we explored in our recent piece on Insider Threats: Protecting Your Business From the Inside Out, technology, training, and culture together form the foundation of true resilience.
This Cyber Security Awareness Month, take proactive steps to protect your business.
Book a cyber health check with Dr Logic and build insider threat resilience today.
