The UK Ministry of Justice (MoJ) reported 17 serious data breaches to the Information Commissioner’s Office (ICO) during 2019-2020.
According to data contained in the Annual report of the Ministry of Justice (2019-2020) and analyzed by the Parliament Street think tank, the department has been responsible for a catalog of major incidents of personal data loss affecting a total of 121,355 people.
These included a lost and unencrypted USB stick containing court documents, the accidental release of an applicant’s identity and children’s names in a domestic violence case, and the loss of a laptop and phone containing data. personnel of the employees of the Ministry of Justice.
But by far the largest incident revealed in the report, affecting as many as 120,000 people, involved a technical error in a sub-processor, which made various files in a staff training database briefly accessible to unauthenticated users. , which allowed a full and a partial unauthorized download. The information disclosed included personnel details such as names, work locations, personnel numbers, national insurance numbers, email addresses, and training records.
The second-largest incident, said to have affected 143 people, saw a set of prison records incorrectly sent to the wrong prisoner, leaking data relating to the offender’s friends, family, lawyers, and Ministry of Justice officials.
In another incident, the address of an applicant, as well as the names of five children, were revealed to the defendant in a domestic violence court case.
Other recorded incidents included a lost unencrypted USB stick containing around 33,000 documents from a fraud trial, and a stolen laptop, journal, notebook and documents related to the criminals, which were removed from a liberty officer’s car. conditional.
Another incident involved a robbery at the home of a staff member, resulting in the theft of a bag containing a laptop and a mobile phone, and later confidential data of seven staff members of the Ministry of Justice was leaked.
Alarmingly, the report said, there were several incidents in which a victim’s details were revealed to the wrong person, such as when the address of an applicant for a restraining order was revealed to a perpetrator due to a mistake in court. magistrates.
The Justice Ministry also recorded another 6,425 data incidents, which were deemed not substantial enough to report to the ICO. Some 5,445 of these were labeled “unauthorized disclosure” and 823 involved the loss of “inadequately protected electronic equipment, devices or paper documents.”
Other incidents reported during the period included the disclosure of the incorrect details of 18,864 children in national insurance letters, a delivery error that resulted in a response to an access request from the subject that went to the wrong address, paperwork left in a train, a completed Excel spreadsheet mistakenly issued instead of a blank one, and an HM Revenue and Customs (HMRC) advisor incorrectly accessed a taxpayer’s record and issued a refund to the person’s mother.
In fact, this is the second recent occurrence of a government department violating the data guidelines. On December 7, HMRC referred to the ICO about 11 separate data security incidents between April 2019 and April 2020. These included a fraudulent attack that resulted in the theft of personally identifiable information on 64 employees of three schemes. Different PAYE, which could affect up to 573 people, and a cyberattack on an HMRC agent and their data that compromised the self-assessment payment records of 25 people.
Commenting on the MoJ breaches, Tim Sadler, CEO of Tessian, which calls itself the world’s first human-layer security platform, said that as organizations expect people to be held accountable for more and more sensitive data, they are They must implement measures to avoid mistakes that compromise security.
“Failure to do so could result in regulatory penalties and a ruined reputation,” he said. “Data security is, today, truly in the hands of the employees. But, sometimes, employees make mistakes, as we can see in the infractions reported by the Ministry of Justice to the ICO.
“It’s human nature: people misplace things, we email confidential information to the wrong person, and we click the wrong buttons. And because people are in control of more data than ever before, the risk of that data being accidentally leaked or exposed is only increasing. “