"quite a few people at Corsham would be unhappy with news that a contractor with full access to the sensitive site has been hacked"
Well then, how about not letting him use any personal equipment, nor take out any information, nor bring in USB keys ? You can even prevent him from sending email to external addresses, if you like, and not allow mobile phones. You know, for security.
It's one thing to bring a contractor in, have him sign an NDA and let him loose on internal equipment. It's an entirely different realm of stupid to let a contractor in with his own laptop and give him administrative access to your sensitive data.