IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Ministry of Justice hit with £140K data breach fine

Information Commissioner's Office hits out after prison staff email sensitive information about inmates to several people.

Email again

The Ministry of Justice has been hit with a 140,000 data breach fine after details about all the prisoners serving at a Welsh jail were emailed to several inmates' families.

The incident came to light in August 2011 after one of the recipients alerted HMP Cardiff about receiving a spreadsheet stating the names, ethnicities, addresses, sentence length and release date information about all 1,182 of the prison's inmates.

The document was attached to an email about a forthcoming visit, and also contained coded information about the offences the inmates had carried out.

An internal investigation into the incident also revealed the same error had occurred on two other occasions the previous month, with the details being forwarded on to two further families.

Neither of these incidents was reported at the time, and all three recipients were visited by the police and prison staff to ensure the information was deleted.

Even so, the Ministry of Justice has been ordered to pay a 140,000 fine by the Information Commissioner's Office (ICO) for breaching the Data Protection Act.

The breach was reported to the ICO a month after the third breach took place, with an investigation by the data protection watchdog flagging several areas of concern regarding the organisation's approach to data handling.

For example, the investigation revealed unencrypted floppy disks were regularly used to transfer large volumes of data between prison networks, while a lack of audit trails means the disclosures would have gone unnoticed if the breach had not been reported in the first place.

David Smith, the deputy commissioner and director of data protection, said although the fallout from the breach was contained the leaked information could potentially have put the affected prisoners and their families at risk.

"The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses," explained Smith.

"It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach," he added.

In a statement to IT Pro, a Ministry of Justice spokesperson said the organisation takes information security "very seriously" and assured those concerned that it took "immediate steps" to recover the leaked data.

"These types of incidents are extremely rare but this does not mean that we are complacent," the statement continued.

"A thorough investigation was held by the prison who immediately altered their procedures, and further changes were implemented across the prison estate."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

MoJ faces £17.5m GDPR fine over subject access request backlog
data protection

MoJ faces £17.5m GDPR fine over subject access request backlog

20 Jan 2022
Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021
ICO publishes new data protection standards for the adtech industry
data protection

ICO publishes new data protection standards for the adtech industry

25 Nov 2021
Celebrity data leaked after ransomware attack on London's Graff jewellers
ransomware

Celebrity data leaked after ransomware attack on London's Graff jewellers

1 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022