Crown Prosecution Service suffers 1,600 data breaches in 12 months

The Crown Prosecution Service (CPS) has reported 1,627 data breaches in the space of just 12 month, 59 of them serious enough to warrant notifying the Information Commissioner’s Office (ICO), according to statistics disclosed in its latest annual report for 2019-2020 and analysed by legal practice Griffin Law.

The incidents affected more than 1,000 individuals and included multiple data-handling losses and unauthorised disclosures, as well as the loss of electronic media and paper documents both on and off CPS premises, and lost laptops, tablets and smartphones.

In most of the incidents, the CPS said the data loss was either very minor or eventually recovered. In 20 out of the 21 incidents of lost devices, it recovered the device eventually, and because all devices were encrypted to government standards, no CPS data was compromised.

“The government’s nonchalance over these persistent threats to the UK’s national cyber security is troubling,” said Griffin Law principal Donal Blaney. “In the light of international concerns surrounding hacking and ransoms, not to mention the missing ‘papers’ included in this report from the ICO, can we be sure there aren’t more incidents that go unreported or undetected?”

Blaney added: “These charts reveal very little follow-up action is ever taken and that every faith is placed in the encryption software installed on government-issued devices. To state that ‘no CPS data has been compromised’ is a very bold claim and one which, in my opinion, requires further clarity.”

By far the highest number of severe incidents came between January and March 2020, with 21 events logged to the ICO, three of them relating to the loss of discs, and 18 incidents in which case information was wrongly disclosed. A total of 1,233 people were affected.

By contrast, a mere 11 incidents of unauthorised disclosure of case information impacted 56 people in the preceding October to December quarter, 12 in July to September and 15 in April to June 2019, affecting 34 and 23 people, respectively.

A CPS spokesperson said: “The CPS handles huge amounts of data files every year and staff are trained to make sure personal data is kept securely in line with national security guidelines. Any increase reflects awareness training for all staff which has led to more incidents being reported.

“In 94% of incidents last year the data was eventually recovered or retained within the criminal justice system. In other cases the material was either encrypted or the loss was caused by non-CPS staff. Each incident was followed up to ensure lessons were learned,” the spokesperson said.

Andy Harcup, vice-president at Absolute Software, a supplier of endpoint defence services, said  the disclosures painted a frankly worrying picture of the CPS’s wider cyber security posture.

“The Crown Prosecution Service oversees some of the most sensitive data imaginable, from confidential case files to personal details of witnesses and victims in criminal trials,” said Harcup.

“Against this backdrop, these figures paint a worrying picture of the organisation’s approach to data and device security, with many incidents appearing to put the safety of individuals at risk and some so serious that they required notification of the Information Commissioner’s Office.”

Harcup added: “Moving forward, the CPS needs to up its game with a much more rigorous approach to securing personal data. Key to this effort is ensuring that every mobile device or laptop is protected and retrievable, so that they can be wiped or frozen in the event of loss or theft.

“Additionally, staff need better training on how to reduce data loss incidents, to preserve the integrity and public trust in the CPS brand.”