The Crown Prosecution Service announced in its Annual Report today that it suffered a total of 1,627 data security incidents in 2019-20, out of which 1,463 incidents involved the unauthorised disclosure of personal and department records by employees.
Data security incidents suffered by Crown Prosecution Service in the period included 116 incidents of loss of electronic and paper documents from secure government premises, 27 incidents of loss of electronic and paper documents from outside secure premises, 21 incidents of lost laptops, tablets, and mobile devices, and 1463 incidents that involved unauthorised disclosure of data.
While 1,385 out of 1,463 incidents of unauthorised disclosure were classified as minor incidents, the remaining 78 were classified as severe and were reported to the Information Commissioner's Office. Out of 1,627 data security incidents, 1,233 incidents occurred during the January to March quarter, compared to just 23 incidents in April-June 2019, 34 in July to September 2019, and 56 in the October to December quarter.
These figures are mentioned in Page 58 of the Crown Prosecution Service's Annual Report and Accounts 2019–20.
“The CPS handles huge amounts of data files every year and staff are trained to make sure personal data is kept securely in line with national security guidelines. Any increase reflects awareness training for all staff which has led to more incidents being reported,” a spokesperson from the Crown Prosecution Service said.
“In 94% of incidents last year the data was eventually recovered or retained within the criminal justice system. In other cases the material was either encrypted or the loss was caused by non-CPS staff. Each incident was followed up to ensure lessons were learned,” the spokesperson added.
Commenting on the figures revealed by the Crown Prosecution Service, Ilia Kolochenko, Founder & CEO of ImmuniWeb, said that like most of the law enforcement services, CPS is considerably understaffed and underfunded for its in-house data protection and cybersecurity, and the unprecedented havoc caused by the pandemic has exacerbated the situation with rapid growth and complication of the threat landscape.
“Cybersecurity personnel are already exhausted and overcharged with mushrooming problems, and they simply cannot police every single employee and subcontractor of the CPS who has privileged access to some sensitive data.
“To tackle the issue, the government should urgently re-evaluate the financial needs of its law protection agencies and adjust the funding to reality. Otherwise, one day the most sensitive national data will become public and trigger a parade of horrors – from a tsunami of lawsuits to hundreds of suicides,” he added.
"As the revelations that the UK’s Crown Prosecution Service (CPS) underscore, although many consider a breach to be driven by cybercriminals, the biggest contributor is still old fashioned human error," said Warren Poschman, Senior Sales Engineer at Comforte AG.
"Whether it be from innocent, unintentional mistakes at one end of the spectrum to depraved indifference and incompetence at the other end, many of these unintended disclosures stem from the presence of sensitive data. In some cases the sensitive data is extraneous – such as pulling analytics reports that contain full datasets instead of minimally targeted ones – while in other cases the data is absolutely necessary.
"To truly get a handle on where data is and who is using it – not to mention the data that exists but isn’t being used – organizations absolutely must be performing continuous discovery and classification followed by rigorous protection of the identified sensitive data using data-centric security technologies such as tokenisation.
"These technologies prevent breaches, accidental or otherwise, and ensure that the most sensitive data is identified and protected regardless of where it exists or who has possession of it – all while maintaining the referential integrity so that analytics, searching, and access by authorized users is still possible," he added.