The British Home Office has confirmed that a USB memory stick containing the unencrypted personal details of convicted criminals has gone missing. Infomation on the thumb drive included names, addresses, dates of birth and - in some instances - prisoners release dates.
The USB memory stick was in the possession of external contractor PA Consulting, a private firm working on J Track - an electronic system designed to help government departments monitor offenders. It is understood that the Home Office sent the data via email to PA Consulting in encrypted form, but it was then copied - unencrypted - to the now lost USB data stick.
In total almost 130,000 prisoners are said to have been affected by the data loss:
- The files on the memory stick also included Police National Computer data detailing the names and addresses of England and Waless worst criminals - approximately 33,000 people with six or more convictions in the last year.
- Names and dates of birth (but not addresses) of 10,000 prolific and other priority criminals.
- Names, dates of birth - and in some cases - expected release dates - of all 84,000 prisoners held in England and Wales.
In addition, the lost data included information from the Drugs Interventions Programme, but in this case the files had been sanitised by only using the initials of convicts rather than their full names.
The information lost is highly sensitive not only because of the usual dangers of identity theft, but also because of the risk of attacks on criminals who have served their sentences at the hands of avenging victims.
As we discussed on the blog last month, its clear that people working with sensitive data are being slapdash in their use of USB memory sticks, and not thinking of the potential security risks.
Although companies cant strip search employees in order to prevent confidential data leaving the business premises each day, they can take steps to help fight data leakage. More and more organizations are looking to control access to USB ports, and examining data to assess its sensitivity and encrypting it as appropriate, to prevent them being the next company or government department making headline news.
Research has shown that approximately 95% of data loss is accidental, so companies need to take action to reduce the chances of an accident like this most recent example happening in their own organization.