Home>Security>Cyber Crime>Ministry of Justice in dock over 17 “serious data breaches” impacting 120,000-plus individuals 
Home>Security>IT Security >Ministry of Justice in dock over 17 “serious data breaches” impacting 120,000-plus individuals 
Home>Security Matters>Security Matters>Ministry of Justice in dock over 17 “serious data breaches” impacting 120,000-plus individuals 

Ministry of Justice in dock over 17 “serious data breaches” impacting 120,000-plus individuals 

25 January 2021

THE MINISTRY of Justice (MoJ) has reported 17 “serious data breaches” to the Information Commissioner’s Office (ICO) affecting a total of 121,355 people. That’s according to official figures.

The data, contained in the MoJ’s Annual Report for 2019-2020 and analysed by the Parliament Street Think Tank, reveals a catalogue of major incidents of personal data loss, including a misplaced, unencrypted USB stick containing documents from a trial, accident disclosure of the identify of an applicant and the names of children in a domestic violence case as well as the loss of a laptop and phone containing personal details of MoJ staff members.

The analysis shows that the nature of the largest incident, impacting no fewer than 120,000 individuals, was due to a sub-processor’s technical error which made various files on a staff training database briefly accessible to unauthenticated users, allowing one full and one partial unauthorised download. The information accidentally disclosed included staff data, such as names, work locations, staff numbers, National Insurance numbers, e-mail addresses and training records.

The second largest incident, which impacted 143 people, was the result of a set of prison records being incorrectly dispatched to the wrong prisoner, leaking data relating to the offender’s friends, family, solicitors and Ministry of Justice officials.

In one incident, an applicant's address and the names of five children were disclosed to the respondent in a domestic violence court case.

Unencrypted USB stick

Other recorded incidents included a lost unencrypted USB stick containing around 33,000 documents from a fraud trial and a stolen laptop, diary, notebook and paperwork relating to offenders and taken from a probation officer’s car. There was even one incident of a staff member’s home being burgled, resulting in the theft of a bag containing a laptop and mobile phone, subsequently leaking sensitive data involving seven staff members.

Alarmingly, there were several incidents of a victim’s details being disclosed to the wrong person, such as when a restraining order applicant’s address was disclosed to a perpetrator due to a mistake at a Magistrates’ Court.

Additionally, the MoJ recorded a staggering 6,425 additional data incidents deemed not substantial enough to report to the ICO. 5,445 of these were labelled as ‘unauthorised disclosure’, while 823 were due to the loss of ‘inadequately protected electronic equipment, devices or paper documents’.

In the hands of employees

Tim Sadler, CEO at Tessian, commented: “Data security is well and truly in the hands of employees. Sometimes, those employees make mistakes as we can see from the breaches reported by the MoJ to the ICO.”

Sadler continued: “It’s human nature. People misplace things. We send e-mails containing sensitive information to the wrong person and we click the wrong buttons. As people are now in control of more data than ever before, the risk of that data being accidentally leaked or exposed is only growing.”

In conclusion, Sadler observed: “As organisations expect people to be responsible for more and more sensitive data, so it stands to reason that measures must be in place to prevent the mistakes that compromise security. Failure to do so could result in regulatory fines and ruined reputations.”