Crown Prosecution Service guilty of 1,500-plus data breaches in last 12 months

The data, which is contained in the CPS’ Annual Report, has been analysed by Griffin Law, a leading UK litigation practice. It also reveals that 59 data breach incidents were so severe that they were reported to the Information Commissioner’s Office (ICO). Analysis has also revealed that the data breaches outlined have potentially affected up to 1,346 people.

The period from January to March saw by far the largest quantity of severe personal data incidents, with 21 data handling incidents leading to the loss of ABE and media discs, as well as an additional 18 incidents of unauthorised disclosure of case information, duly impacting no less than 1,233 people in total.

By way of comparison, just 11 incidents of unauthorised disclosures of case information affected 56 people in the period October to December 2019, 12 data handling incidents and unauthorised disclosures of case information impacted 34 people in January to March and 23 people were impacted in April to June 2019 by a total of 15 total personal data incidents.

In all, 1,463 of the total data breaches recorded over the entire financial year were due to unauthorised disclosure of information, with 78 being considered ‘severe’. A further 143 of the total incidents were due to loss of electronic media and paper. In 22 of these instances, the data was never recovered.

The final 21 reported cases were due to loss of devices, including laptops, tablets and mobile phones, although only one of these devices was not eventually recovered. No CPS data was compromised as a result.

Follow-up action

Donal Blaney, principal at Griffin Law, commented: “The Government’s nonchalance over these persistent threats to the UK’s national cyber security is troubling. In light of international concerns surrounding hacking and ransoms, not to mention the missing ‘papers’ included in this report from the ICO, can we be sure there are not more incidents that go unreported or undetected? It appears that very little follow-up action is ever taken and that every faith is placed in the encryption software installed on Government-issued devices. To state that: ‘No CPS data has been compromised’ is a very bold claim and one which, in my opinion, requires further clarity.”

Cyber expert Andy Harcup, vice-president at Absolute Software, stated: “The CPS oversees some of the most sensitive data imaginable, from confidential case files to personal details of witnesses and victims in criminal trials. Against this backdrop, these figures paint a worrying picture of the organisation’s approach to data and device security, with many incidents appearing to put the safety of individuals at risk and some so serious they required the Information Commissioner’s Office to be notified.”

Harcup added: “Moving forward, the CPS needs to up its game, with a much more rigorous approach to securing personal data. Key to this effort is ensuring that every mobile device or laptop is protected and retrievable such that they can be wiped or frozen in the event of loss or theft. Additionally, staff need better training on how to reduce data loss incidents in order to preserve the integrity and public trust in the CPS brand.”