The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

It is absolutely staggering that more than 4,000 data breaches occurred in local councils in just three years - almost four data breaches a day. That is what privacy campaigner Big Brother Watch claimed in its report "A Breach of Trust".

Yet, when you look at the ridiculous number of security lapses that have occurred in the public sector, perhaps it isn't so surprising after all?

In one case, a social worker left documents containing confidential records about children, and data linked to sex offenders, on a train. In another, a CCTV operator watched part of their colleague's wedding instead of doing their job. And the list goes on...

Perhaps what irks people more is that unlike data that is collected by businesses with whom they have had some sort of optional interaction (ie. it was their own choice), people share data with government through necessity and, very often, the data that is shared is highly personal.

So when government departments, local authorities or NHS trusts then lose that data, it is simply not good enough... Here's Computing's list of the 10-worst government data breaches.

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

10. Serious Fraud Office makes a seriously stupid mistake

The Serious Fraud Office, an independent government department that investigates and prosecutes serious or complex fraud and corruption, ended up sending a witness evidence relating to 64 other people in a fraud, bribery and corruption investigation.

The investigation focused on allegations that senior execs at BAE Systems had received payments, including two properties worth over £6m, as part of an arms deal with Saudi Arabia.

The case closed in February 2010, and the SFO began returning evidence documents soon afterwards.

An astonishing 2,000 evidence bags were sent to the witness in question between November 2011 and February 2013, and more than a fifth of these bags contained information about third parties. This included information such as bank statements which showed payments made by BAE Systems to various individuals, hospital invoices, DVLA documents and sensitive data such as passport details.

The ICO found that the evidence had been prepared by a temporary worker at the SFO who had received minimal training and no direct supervision.

Surely information like this should have been handled by someone with some experience?

"People will be quite rightly shocked that the Serious Fraud Office failed to keep the information of so many individuals connected to such a high-profile case secure," said the ICO's deputy commissioner and director of data protection, David Smith.

Smith added that considering how high-profile the case was, and how sensitive the data returned to witnesses potentially was, it was "astounding" that the SFO got this wrong.

"This was an easily preventable breach that does not reflect well on the organisation," he said.

You could say that again, David.

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

9. A lesson to those wanting to send anything containing sensitive information in the post: Don't.

Two discs containing information about police killings were lost in the post, the Ministry of Justice admitted in January this year.

The lost data included information about the shooting of drug dealer Mark Duggan, who was shot dead by a police marksman; Azelle Rodney, who was shot dead by armed police officers in April 2005; and, Robert Hamill, an Irish Catholic civilian who was beaten to death by a loyalist mob in 1997, over which there have been allegations of collusion by the Royal Ulster Constabulary to protect the perpetrators.

But perhaps those who sent the discs by post should have realised that half a million letters are said to be lost each week, with 400,000 being lost or stolen, never to be recovered, and 100,000 taking more than two weeks to reach their destination.

Or more importantly, they should have realised that the posting of the discs was (and is) a breach of security guidelines. The MoJ said at the time, that disciplinary action would be taken against the individuals responsible, with one member of staff already suspended.

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

8. Prison leaks 1,182 prisoner details to families

Details of all 1,182 prisoners serving time at HMP Cardiff were sent to three families of inmates in a case which could have put the prisoners and their families at risk, particularly as their home addresses were part of the details that were sent.

The breach was first reported in August 2011 after a family member reported receiving a pre-visit email message, with a spreadsheet attached to it. The spreadsheet contained details including release dates and coded details of crimes and offences committed, of the prisoners in the facility.

An investigation found that the same error had taken place on two occasions within the previous month, but both had gone unreported.

The ICO deputy commissioner and director of data protection, David Smith, said at the time that the breach was "caused by a clear lack of management oversight of a relatively new member of staff".

In other words, HMP Cardiff hadn't trained or supervised a new member of staff. Although no amount of training or supervision can make up for a lack of logic...

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

7. Sometimes it's not the government's fault

Take the case in 2008 where a hard drive being held by the Ministry of Defence's main IT contractor EDS (now HP Enterprise Services), was lost. It was thought to contain more than 1.5m pieces of information, including the details of 600,000 potential recruits. Other personal information could also have been on the hard drive.

In fact this wasn't the only case EDS were to blame for. In September 2008, a hard drive containing details of 5,000 employees of the National Offender Management Service was lost by the company, and in July 2007, a hard drive with details of HM Prison Service staff was lost on EDS premises.

Other high-profile cases of a government IT contractor failing to keep data safe, include the Home Office's IT contractor PA Consulting, which lost an unencrypted memory stick containing details of high risk, prolific and other offenders in August 2008, and Diagnostic Health, a company that carries out ultrasound scans for the NHS, which was involved in a series of data protection breaches, potentially affecting up to 10,000 patients.

A leaked report from the ICO, seen by the BBC, revealed that Diagnostic Health was storing patient data unencrypted on Google Drive, the popular cloud-based file storage and synchronisation service, and its staff shared a password to access those files.

So, yes, not everything is the government's fault. But if you really wanted to, you could still attribute blame to the government department in question for hiring a company that doesn't know how to protect its data properly.

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

6. Can someone please tell Surrey County Council that it's no longer a mistake when it's happened three times?

Back in 2011, the Information Commissioner's Office (ICO) fined Surrey County Council £120,000 after one of its employees sent sensitive health information of 241 vulnerable individuals to the wrong email address.

The Information Commissioner Christopher Graham said that the significant penalty was given because the first breach was "shocking enough", but the ICO also had to take into account two similar breaches that followed.

"It is clear that Surrey County Council failed to fully address the risks of sending sensitive personal data by email until it was far too late," he said.

"Surrey County Council has paid the price for their failings, and this case should act as a warning to others that lax data protection practices will not be tolerated," he added.

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

5. That time when 3,000 patient records were sold on eBay

When NHS Surrey chose to leave an approved data destruction provider, and instead hand over thousands of patients' details to a company without checking that the information had been securely deleted, it was left with disastrous consequences - as the company ended up selling the computers with around 3,000 patient records on auction website eBay.

It meant that patients' information was effectively being sold online.

The ICO's head of enforcement, Stephen Eckersley, said that the organisation "should not have to tell organisations to think twice before outsourcing vital services to companies who offer to work for free". Damn right it shouldn't!

He added that the breach was one of the most serious the ICO had to witness at the time and the £200,000 penalty given to the NHS, reflected the "disturbing" circumstances of the case.

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

4. ICO gets hacked, hides story in its annual report

Well here's a real doozy. The firm that had been lecturing other organisations about their lackadaisical attitude to information security suffered a breach of its own (hence the high ranking in this feature).

"See! It's not that easy!" yelled one former public sector worker whose department had been fined following a data breach.*

The ICO's embarrassing breach was hidden away in the organisation's annual report, and the ICO described it as a "non-trivial data security incident" that prompted a "full internal investigation".

Some nerve the ICO has - being coy about the incident, but spilling the beans about others' embarrassing security lapses without fail.

It's unclear whether the information commissioner Christopher Graham gave his own organisation a fine, but our sources tell us that this was unlikely.

*this didn't really happen

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

3. HMRC loses CDs containing details of 25 million child benefits claimants

Once again, don't send something with sensitive information in the post (see number 8). In November 2007, HMRC lost two CDs containing details of the families of child benefits claimants in the post.

The data was reported to include names, addresses and dates of birth of children, as well as the National Insurance numbers and bank details of their parents.

The discs did have password protection on them, but it was provided by WinZip version 8 - i.e. any high school student with access to the internet would easily be able to break this protection.

Although HMRC blamed a junior member of staff for the data breach, it led to the resignation of HMRC chairman Paul Gray - showing that pointing the finger at an inexperienced employee isn't always going to cut the mustard as an excuse.

George Osborne, shadow chancellor at the time said:

"Let us be clear about the scale of this catastrophic mistake- the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post, and the bank account details and National Insurance numbers of ten million parents, guardians and carers have gone missing".

HMRC's handling of data was described as "woefully inadequate" in an Independent Police Complaints Commission report published in June 2008.

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

2. NHS gets away with selling millions of patients' private data

What's surprising with this story is that the information came from an internal review by the NHS information centre (NHS IC), which has since been replaced by the HSCIC.

It found that between 2005 and 2012, 588 data releases were made to 178 private-sector organisations excluding charities, for the purpose of "analytics, benchmarking and research".

The organisations included tech companies, healthcare consultancies, insurance firms and pharmaceutical giants AstraZeneca and GlaxoSmithKline.

Phil Booth, from privacy campaigners MedConfidential suggested that it must have been the case that someone within the HSCIC or NHS IC knew that they were in a mess - or that no one was aware of what was going on.

"I'm not sure which is more terrifying," he exclaimed.

What is terrifying is that the NHS IC seemingly rebranded itself to HSCIC to escape punishment......and it worked.

"It is not sufficient; you can't just wipe the slate clean. This is like a million records, it's one of the largest [data breaches that has been uncovered] in NHS history so there has to be consequences," Booth said, to no avail.

The 10 worst-ever government data breaches

Ineptitude, stupidity, and a lack of logic feature in a list which shouldn't even exist

1. Not knowing the difference between ‘on' and ‘off'

When HMP Erlestoke in Wiltshire lost a back-up disk-drive in May 2013 with confidential information about 2,935 prisoners, the Ministry of Justice (MoJ) was fined £180,000 by the ICO. The hard drive, which was unencrypted, contained confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors.

But it wasn't just what the prison had lost which was startling - it was how they lost it.

In May 2012, the prison service provided new hard drives with the option to encrypt data to all of the 75 prisons across England and Wales who were still using back-up hard drives this way. But the ICO found in its investigation that the MoJ didn't realise that the encryption option on the new hard drives needed to be turned on to work correctly. Unbelievable.

In fact, the head of enforcement at the ICO, said that that the fact the MoJ could supply equipment to prisons without properly understanding it, let alone telling the prisons how to use it, "beggars belief".

An absolute shambles.