There can be few worse things that can happen to a company's secret data than for it to be leaked into the public domain, but just such a potential catastrophe has afflicted the Ministry of Justice. http://www.storetec.net/news-blog/ministry-of-justice-fined-over-data-security-calamity
Ministry of justice fined over data ssecurity calamity
1. @StoretecHull
www.storetec.net
Facebook.com/storetec
Storetec Services Limited
Ministry of Justice Fined Over Data Ssecurity
Calamity
There can be few worse things that can happen to a company's secret
data than for it to be leaked into the public domain, but just such a
potential catastrophe has afflicted the Ministry of Justice.
The ministry has been fined £140,000 by the Information
Commissioner's Office (ICO) for a major breach in August 2011, in
which an email concerning upcoming visits was sent to three
families of inmates at Cardiff Prison had a file attached containing
details about the 1,182 people who are currently incarcerated there.
2. Among these were details such as names, ethnicities, home
addresses, the nature of the offences committed and release dates.
Only when the third of the families to receive the email raised the alarm
about the attached file was the mistake spotted.
After this, a member of prison staff and a police officer visited the
homes of the recipients to check the email and files had been deleted.
However, while such an action was possible because there had been
only three recipients, the situation could have been far worse. Had all
the families been contacted, for instance, it would have meant trying to
chase up over 1,000 households and it would only have required one
to have taken the leak further for such information to have gone viral.
3. This was noted by ICO deputy commissioner and director of data
protection, David Smith, who said: "The potential damage and distress
that could have been caused by this serious data breach is obvious.
Disclosing this information not only had the potential to put the
prisoners at risk, but also risked the welfare of their families through the
release of their home addresses.
"Fortunately it appears that the fall-out from this breach was contained,
but we cannot ignore the fact that this breach was caused by a clear
lack of management oversight of a relatively new member of staff.
Furthermore the prison service failed to have procedures in place to
spot the original mistakes.
4. "It is only due to the honesty of a member of the public that the
disclosures were uncovered as early as they were and that it was still
possible to contain the breach."
The ICO investigation uncovered a number of major flaws in the way
data was handled by Cardiff prison. One of these was an absence of
audit trails, which it found would have meant the data breach going
unnoticed had a member of the public not alerted them.
Furthermore, there were multiple failings in the way the records of
prisoners were kept and information transferred between the two
separate networks used by the prison. This was frequently done using
unencrypted floppy discs that held large volumes of data.
5. It is not completely unusual for government departments to fall short on
their data security. Three have been many tales down the years of how
storage devices, laptops and other appliances have been stolen or lost.
However, in most cases these have been protected with various layers
of extra security, including passwords and encryption. The absence of
these in the Cardiff case means there could have been some
particularly grave consequences.
For example, if information about an offender was received by anyone
wishing to visit reprisals on one of the prisoners after their release, they
would know where the individual lived. If the error had not been
reported back to the prison, this situation could have arisen without the
released prisoners being aware they could be in danger.
6. The Ministry of Justice commented that such breaches are "extremely
rare", but added that the prison had immediately changed its
procedures, with "further changes" being put in place right across the
prison estate.
7. Such moves may help stop repeats of the Cardiff incident, but for other
organisations and companies, such lax handling of data could have
disastrous consequences. For example, It could mean a company
leaking details of its employees pay and remuneration, which might end
up in the hands of fellow staff. Vital company data could end up being
seized by rivals and in the case of government departments, highly
secure information that is lost could have untold consequences – a
point made by those trying to curb the potential damage done by the
likes of Wikileaks. The consequences of failure at Cardiff could have
been far worse.