The Ministry of Justice (MoJ) has reported 17 “serious” data breaches to the Information Commissioner’s Office (ICO), affecting a total of 121,355 people, according to official figures.

The data, contained in the MoJ’s annual report (2019-2020), and analysed by the Parliament Street think tank, reveals a catalogue of major incidents of personal data loss, including a misplaced, unencrypted USB stick containing documents from a trial; the names of children in a domestic violence case; and the loss of a laptop and phone containing the personal details of MoJ staff members.

The analysis showed the largest incident - impacting 120,000 people - was due to a “sub-processor’s technical error”, which made various files on a staff training database briefly accessible to unauthenticated users, allowing one full and one partial unauthorised download.

Information accidentally disclosed included staff names, work locations, staff numbers, National Insurance numbers, email addresses and training records.

The second largest incident, which impacted 143 people, was the result of a set of prison records being incorrectly dispatched to the wrong prisoner, leaking data relating to the offender’s friends, family, solicitors and Ministry of Justice officials.

In another incident, an applicant's address, as well as the names of five children, were disclosed to the respondent in a domestic violence court case.

Other recorded incidents included a lost unencrypted USB stick containing around 33,000 documents from a fraud trial, and a stolen laptop, diary, notebook and paperwork relating to offenders, which was taken from a probation officer’s car.

Additionally, the MoJ recorded 6,425 data incidents, which were deemed “not substantial enough” to report to the ICO - 5,445 of these were labelled as “unauthorised disclosure” and 823 were due to loss of “inadequately protected electronic equipment, devices or paper documents”.

Tim Sadler, chief executive of data security firm Tessian, said: “Data security is well and truly in the hands of employees. Measures must be in place to prevent the mistakes that compromise security, failure can result in regulatory fines and ruined reputations.”

Share Story: