The Ministry of Justice (MoJ) reported 17 serious data breaches during the last financial year, according to official figures analysed by the Parliament Street think tank.
The UK government department responsible for running the country’s justice system revealed in its annual report 2019-20 that it informed the Information Commissioner’s Office (ICO) of personal data loss incidents affecting a total of 121,355 people.
In the largest of the incidents reported to the ICO, a technical error in a sub-processor made various files on a staff training database briefly accessible to unauthenticated users, resulting in one full and one partial unauthorized download. This disclosed personal information of 120,000 people, including staff data such as names, work locations, staff numbers, national insurance numbers, email addresses and training records.
The second largest incident was caused by a set of prison records being dispatched to the wrong prisoner by mistake. Impacting a total of 143 people, this exposed data relating to the offender’s friends, family, solicitors and MoJ officials.
Other breaches included an applicant’s address and the names of five children being disclosed to the respondent in a domestic violence court case, a lost unencrypted USB stick containing around 33,000 documents from a fraud trial and the leaking of sensitive data about seven staff members following the theft of a laptop and mobile phone.
A further 6425 data incidents were recorded by the MoJ in the 12-month period, although these were not substantial enough to be reported to the ICO. Most (5445) were labelled as ‘unauthorized disclosure’, while 823 were as a result of ‘inadequately protected electronic equipment, devices or paper documents’.
Commenting on the figures, Tim Sadler, CEO at Tessian said: “Data security is, today, well and truly in the hands of the employees. But, sometimes, employees make mistakes - as we can see from the breaches reported by the MoJ to the ICO. It's human nature; people misplace things, we send emails containing sensitive information to the wrong person, and we click the wrong buttons. And because people are in control of more data than ever before, the risk of that data being accidentally leaked or exposed is only growing.
“As organizations expect people to be responsible for more and more sensitive data, measures must be in place to prevent the mistakes that compromise security. Failure to do so could result in regulatory fines and ruined reputations.”