Ministry of Justice fined £140,000 for emailing prisoners details to inmates' families

Sensitive data included names, addresses, offence codes and release dates

The Information Commissioner's Office (ICO) has fined the Ministry of Justice (MoJ) £140,000 for a serious data breach that led to sensitive details of all the prisoners at one prison being emailed to three inmates' families multiple times.

The breach, affecting all 1,182 inmates at HMP Cardiff, was only discovered when one of the recipients contacted the prison on 2 August 2011 to report that they had received an email from the prison clerk about an upcoming visit, which included a file containing the confidential information.

The file included a spreadsheet with information such as the names, ethnicity, addresses, sentence length, release dates and coded details of the offences carried out by the inmates.

But is was not the first time the data breach occured. An internal investigation revealed that the details were sent to different inmates' families on two occasions in the previous month. However, these incidents were not reported at the time.

The data breaches were reported to the ICO on 8 September 2011, and an investigation identified a number of failings at HMP Cardiff.

The ICO found that there was a lack of management oversight at the prison, with the clerk working unsupervised despite only having worked at the prison for two months and having limited experience and training. There was also a lack of audit trails, which meant that the data breaches would have gone unnoticed had a recipient not reported them.

Furthermore, the prison regularly used unencrypted floppy disks to transfer large volumes of data between the prison's two separate networks.

ICO deputy commissioner and director of data protection, David Smith, said: "The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses."

Since the breaches, a member of the prison's staff went with police to the email recipients' homes and checks were made to ensure that the files had been deleted. The unauthorised disclosures were reported to the ICO on 8 September 2011.

"Fortunately it appears that the fallout from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore, the prison service failed to have procedures in place to spot the original mistakes," said Smith.

"It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach."

Join the CSO newsletter!

Error: Please check your email address.

Tags Government use of ITInformation Commissioner’s Officesecuritygovernmentministry of justice

More about CardiffICO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anh Nguyen

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts