CPS Under Fire Again After Data Breach Cases Jump 18%

The UK’s Crown Prosecution Service (CPS) has recorded over 1600 data breaches over the course of a year, including scores of unauthorized disclosures classed as “severe,” it has emerged.

The data featured in the CPS annual report revealed a total of 1627 recorded data breaches in the 2019-20 financial year, up 18% from the previous year. These included 59 incidents that were serious enough to be reported to the Information Commissioner’s Office (ICO).

The vast majority (1463) of incidents related to unauthorized disclosure, which usually indicates some form of human error was to blame. Although most (1385) of these were classed as “very minor” or retained within the criminal justice profession, 78 were classed as “severe.”

“The Crown Prosecution Service oversees some of the most sensitive data imaginable, from confidential case files to personal details of witnesses and victims in criminal trials. Against this backdrop, these figures paint a worrying picture of the organization’s approach to data and device security, with many incidents appearing to put the safety of individuals at risk,” argued Absolute Software VP, Andy Harcup.

“Moving forward, the CPS needs to up its game, with a much more rigorous approach to securing personal data. Staff need better training on how to reduce data loss incidents, to preserve the integrity and public trust in the CPS brand.”

The CPS has been found wanting in the past regarding its approach to data protection. In 2018 the ICO fined it £325,000 after DVDs contained recordings of police interviews with 15 victims of child sex abuse. The CPS is said not to have noticed the DVDs had been lost until a month later.

Prior to this, the service was fined £200,000 in 2015 after sensitive video interviews with victims of violent and sexual crimes were stolen.

Also in 2019-20 there were over 100 cases involving loss of electronic media and paper documents from secure government premises, 27 losses outside government offices, and 21 lost mobile devices — although all but one of these were recovered and all featured government-grade encryption.

Analysis by UK litigation practice Griffin Law claimed that in total these incidents potentially affect over 1300 people.

What’s Hot on Infosecurity Magazine?