ministry of justice fined over data ssecurity calamity
TRANSCRIPT
Ministry of Justice Fined Over Data Ssecurity Calamity
Facebook.com/storetec
Storetec Services Limited
@StoretecHull www.storetec.net
There can be few worse things that can happen to a company's secret data than for it to be leaked into the public domain, but just such a potential catastrophe has afflicted the Ministry of Justice.
The ministry has been fined £140,000 by the Information Commissioner's Office (ICO) for a major breach in August 2011, in which an email concerning upcoming visits was sent to three families of inmates at Cardiff Prison had a file attached containing details about the 1,182 people who are currently incarcerated there.
Among these were details such as names, ethnicities, home addresses, the nature of the offences committed and release dates. Only when the third of the families to receive the email raised the alarm about the attached file was the mistake spotted.
After this, a member of prison staff and a police officer visited the homes of the recipients to check the email and files had been deleted. However, while such an action was possible because there had been only three recipients, the situation could have been far worse. Had all the families been contacted, for instance, it would have meant trying to chase up over 1,000 households and it would only have required one to have taken the leak further for such information to have gone viral.
This was noted by ICO deputy commissioner and director of data protection, David Smith, who said: "The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses.
"Fortunately it appears that the fall-out from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore the prison service failed to have procedures in place to spot the original mistakes.
"It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach."
The ICO investigation uncovered a number of major flaws in the way data was handled by Cardiff prison. One of these was an absence of audit trails, which it found would have meant the data breach going unnoticed had a member of the public not alerted them.
Furthermore, there were multiple failings in the way the records of prisoners were kept and information transferred between the two separate networks used by the prison. This was frequently done using unencrypted floppy discs that held large volumes of data.
It is not completely unusual for government departments to fall short on their data security. Three have been many tales down the years of how storage devices, laptops and other appliances have been stolen or lost. However, in most cases these have been protected with various layers of extra security, including passwords and encryption. The absence of these in the Cardiff case means there could have been some particularly grave consequences.
For example, if information about an offender was received by anyone wishing to visit reprisals on one of the prisoners after their release, they would know where the individual lived. If the error had not been reported back to the prison, this situation could have arisen without the released prisoners being aware they could be in danger.
The Ministry of Justice commented that such breaches are "extremely rare", but added that the prison had immediately changed its procedures, with "further changes" being put in place right across the prison estate.
Such moves may help stop repeats of the Cardiff incident, but for other organisations and companies, such lax handling of data could have disastrous consequences. For example, It could mean a company leaking details of its employees pay and remuneration, which might end up in the hands of fellow staff. Vital company data could end up being seized by rivals and in the case of government departments, highly secure information that is lost could have untold consequences – a point made by those trying to curb the potential damage done by the likes of Wikileaks. The consequences of failure at Cardiff could have been far worse.
Storetec News/Blogs. "http://www.storetec.net/news-blog/ministry-of-justice-fined-over-data-security-calamity
/". Ministry of Justice Fined Over Data Ssecurity Calamity. October 22,2013. Storetec.