UK Prisons Issued Encrypted Drives to Stop Exposing Data but That Didn’t Work
Accidentally leaked credentials; Insider attack; Misplaced data
The Ministry of Justice was fined about $300,000 for losing a device with prison records, after not realizing one must turn on disk encryption for it to function.
This was a repeat offense for the department, following a similar case in October 2011, when an unencrypted hard drive containing the details of 16,000 prisoners was lost.
The most recent incident, in May 2013, involved an unencrypted back-up hard drive at a jail in Wiltshire that contained confidential information on about 2,935 inmates, including details of links to organized crime, health data, and material about visitors.
The thing is -- the Prison Service, in May 2012, had issued new hard drives with encryption capabilities to each of its 75 prisons in England and Wales.
An investigation by the Information Commissioner’s Office found the Prison Service wasn’t aware the encryption option needed to be activated to work.
Stephen Eckersley, ICO head of enforcement, said: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.”
As a result, confidential information about prisoners and vulnerable members of the public was insecurely handled for more than a year, he said.
August 26, 2014
Link to report
location of breach
location of perpetrators
date breach occurred
date breach detected