England: Prosecutors guilty of over 1,500 data breaches in the last year

The data, contained in the annual CPS report and analysed by Griffin Law, a UK litigation practice, also revealed that 59 incidents were so severe that they were reported to the Information Commissioner’s Office (ICO). Analysis revealed that these incidents potentially affected up to 1,346 people.

The period from January to March saw by far the largest quantity of severe personal data incidents, with 21 data handling incidents leading to loss of ABE and media discs, as well as an additional 18 incidents of unauthorised disclosure of case information, impacting a whopping 1,233 people in total. 

By comparison, just 11 incidents of unauthorised disclosures of case information affected 56 people in the period of October to December 2019, 12 data handling incidents and unauthorised disclosures of case information impacted 34 people in January to March, and 23 people were impacted in April to June 2019 by 15 total personal data incidents. 

In total, 1,463 of the total data breaches recorded over the entire financial year, were due to unauthorised disclosure of information, with 78 being considered ‘severe’. A further 143 of the total incidents were due to loss of electronic media and paper, and in 22 of these instances, the data was never recovered. Finally, the final 21 reported cases were due to loss of devices, including laptops, tablets and mobile phones, although only one of these devices was not eventually recovered, and no CPS data was compromised as a result.

Donal Blaney, principal, Griffin Law, said: “The government’s nonchalance over these persistent threats to the UK’s national cyber security is troubling. In the light of international concerns surrounding hacking and ransoms, not to mention the missing ‘papers’ included in this report from the ICO, can we be sure there aren’t more incidents that go unreported or undetected?

“These charts reveal very little follow-up action is ever taken and that every faith is placed in the encryption software installed on government-issued devices. To state that, ‘no CPS data has been compromised’ is a very bold claim and one which, in my opinion, requires further clarity.”

Cyber expert Andy Harcup, VP, Absolute Software, added: “The Crown Prosecution Service oversees some of the most sensitive data imaginable, from confidential case files to personal details of witnesses and victims in criminal trials. Against this backdrop, these figures paint a worrying picture of the organisation’s approach to data and device security, with many incidents appearing to put the safety of individuals at risk and some so serious they required notification of the Information Commissioner’s Office.

“Moving forward, the CPS needs to up its game, with a much more rigorous approach to securing personal data. Key to this effort is ensuring that every mobile device or laptop is protected and retrievable, so that they can be wiped or frozen in the event of loss or theft. Additionally, staff need better training on how to reduce data loss incidents, to preserve the integrity and public trust in the CPS brand.”