A short entry in the Ministry of Justice (MoJ) annual report 2012/2013 was noticed and highlighted yesterday by the Law Gazette. It was one of just four incidents reported as 'significant' by the MoJ. "A network server used to support printing was suspected to have been stolen by a subcontractor during the decommissioning of Salford Magistrates Court," states the annual report. It adds that the number of people potentially affected is "not known, but over 400,000 files were technically retrievable."
According to the Law Gazette, "Justice minister Helen Grant last week confirmed that the theft only came to light in May 2012 when the server was put up for sale on eBay still bearing an IT contractor’s logo." Following an internal enquiry, the matter was reported to the police and the ICO in June 2012.
More than a year later it is still being investigated by the ICO, "and we await their report," said Grant. "The ICO has said it will not comment while it is handling an investigation into the theft," reports the Law Gazette.
But the shadow justice minister, Andy Slaughter, wants to know why things have taken so long. "Details of hundreds of sensitive files which could put victims and witnesses in criminal trials at risk have been stolen," he said, adding "the thief was not caught, nor were potential victims informed."
According to Grant the police found insufficient evidence to identify the thief, but, after reclaiming the server from eBay, a 'detailed forensic analysis' suggested that it was unlikely that information had been taken. "The audit did not identify any access to the files during the time the server was not under the control of MoJ and therefore no action has been taken to inform those affected," said Grant.
Nevertheless, it does seem unusual that a potentially significant loss of sensitive personal data has received little public acknowledgement or disclosure in more than a year of investigation.
Infosecurity approached the ICO for a comment, and was simply told, "We are aware of the data security incident involving the Ministry of Justice. We are making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken."