Ministry of Justice in the dock for catalogue of serious data breaches

The UK Ministry of Justice (MoJ) reported 17 serious data breaches to the Information Commissioner’s Office (ICO) during 2019-2020.

According to data contained in the MoJ annual report (2019-2020) and analysed by the Parliament Street think-tank, the department has been responsible for a catalogue of major incidents of personal data loss affecting a total of 121,355 people.

These included a misplaced, unencrypted USB stick containing documents from a trial, accidental disclosure of the identify of an applicant and the names of children in a domestic violence case, and loss of a laptop and phone containing personal details of MoJ employees.

But by far the largest incident revealed in the report, impacting as many as 120,000 people, involved a sub-processor’s technical error, which made various files on a staff training database briefly accessible to unauthenticated users, allowing one full and one partial unauthorised download. Information disclosed included staff data, such as names, work locations, staff numbers, national insurance numbers, email addresses and training records.

The second largest incident, said to have affected 143 people, saw a set of prison records incorrectly dispatched to the wrong prisoner, leaking data relating to the offender’s friends, family, solicitors and MoJ officials.

In another incident, an applicant’s address, as well as the names of five children, were disclosed to the respondent in a domestic violence court case.

Other recorded incidents included a lost unencrypted USB stick containing about 33,000 documents from a fraud trial, and a stolen laptop, diary, notebook and paperwork relating to offenders, which was taken from a probation officer’s car.

Another incident involved a staff member’s home being burgled, resulting in the theft of a bag containing a laptop and mobile phone, subsequently leaking sensitive data of seven MoJ staff members.

Alarmingly, said the report, there were several incidents of a victim’s details being disclosed to the wrong person, such as when a restraining order applicant’s address was disclosed to a perpetrator because of a mistake in a magistrates’ court.

The MoJ also recorded 6,425 other data incidents, which were deemed not substantial enough to report to the ICO. Some 5,445 of these were labelled “unauthorised disclosure”, and 823 involved the loss of “inadequately protected electronic equipment, devices or paper documents”.

Other incidents notified during the period included the disclosure of the incorrect details of 18,864 children in national insurance letters, a delivery error resulting in a response to a subject access request going to the wrong address, paperwork left on a train, a completed Excel spreadsheet issued in error instead of a blank one, and an HM Revenue and Customs (HMRC) adviser incorrectly accessing a taxpayer’s record and issuing a refund to the person’s mother.

In fact, this is the second recent occurrence of a government department breaching data guidelines. On 7 December, HMRC referred itself to the ICO over 11 separate data security incidents between April 2019 and April 2020. These included a fraudulent attack that resulted in the theft of personally identifiable information about 64 employees from three different PAYE schemes – potentially affecting up to 573 people – and a cyber attack on an HMRC agent and their data that saw the self-assessment payment records of 25 people compromised.

Commenting on the MoJ breaches, Tim Sadler, CEO of Tessian, which calls itself the world’s first human layer security platform, said that as organisations expect people to be responsible for more and more sensitive data, measures must be in place to prevent the mistakes that compromise security.

“Failure to do so could result in regulatory fines and ruined reputations,” he said. “Data security is, today, well and truly in the hands of the employees. But, sometimes, employees make mistakes – as we can see from the breaches reported by the MoJ to the ICO.

“It’s human nature – people misplace things, we send emails containing sensitive information to the wrong person, and we click the wrong buttons. And because people are in control of more data than ever before, the risk of that data being accidentally leaked or exposed is only growing.”