Since 2008 departments have been required to report data breaches every year. In this exclusive research – kicking off two weeks of dedicated cybersecurity content on PublicTechnology – SA Mathieson digs through the numbers to uncover government’s biggest security challenges
Credit: Anthony Devlin/PA Archive/PA Images
The below article, published in conjunction with our sister publication Civil Service World, marks the start of the Government Cybersecurity Index – two weeks of content on PublicTechnology focused on the state of data protection and security across the public sector. Look out throughout the next two weeks for more exclusive research, insight, comment, and analysis.
Since his appointment as chancellor in June 2007, Alistair Darling had coped with the Northern Rock bank-run, arguments with Bank of England governor Mervyn King, and his boss Gordon Brown failing to call a much-expected general election. On Saturday 10 November that year – a weekend “the first in a long time that was relatively free from crisis” – he was eating a bacon roll at his Edinburgh home.
Then his duty private secretary called to tell him that HM Revenue and Customs had lost the names, addresses and dates of birth of every child in the country, along with the bank account details and national insurance numbers of every adult claiming child benefit on their behalf. “I flew back to London, but not before going into the garden for an hour,” he wrote in his autobiography, Back from the brink. “There was not a weed left standing.”
HMRC’s loss of personal data relating to 25 million people had an impact far beyond Darling’s garden. Responding in parliament to the chancellor’s statement, then shadow chancellor George Osborne said the loss should mark the end of the Labour government’s identity card scheme. David Cameron had been discussing its flaws for several years, but the HMRC loss is likely to have helped ensure that the government he led from 2010 abolished it.
Osborne also used the loss to criticise civil servants’ ability to handle Britons’ personal data. “They simply cannot be trusted with people’s personal information,” he told parliament, urging government to: “Get a grip and deliver a basic level of competence.”
The incident and subsequent reviews led to attempts to do just that. HMRC introduced tighter data security including new controls on moving personal data, appointed a director of governance and security and departmental data guardians, and put all staff through data security training. Following a Cabinet Office commitment, that department and others started publishing an analysis of personal data-related incidents in a standardised form, which now appears in their annual reports. That data provides a method for seeing which departments have got a grip on personal data security and which have not.
Departmental breakdown
Examining data from five years’ worth of annual reports (see graph below – click on the image to open it in a new window, where it can be enlarged, magnified, and downloaded) reveals that the Ministry of Justice is responsible for far more incidents than any other government department. In 2017-18 it recorded 3,184 incidents, including 10 serious enough to be reported to the Information Commissioner’s Office. The Ministry of Defence, in second place, recorded just 117, with none reported to the ICO. The Home Office and the Department for Environment, Food and Rural Affairs recorded 66 and 62 respectively, while the Department for Work and Pensions recorded no incidents, despite handling information on most of the population. (
For the MoJ, 2017-18 actually represented an improvement on the year before. In 2016-17 it recorded 3,985 data incidents centrally, up from nearly 2,600 in 2013-14 and 2,800 the year after. In 2015-16, although it published information on some specific incidents it did not publish a total number, uniquely among the annual reports in this research.
An MoJ spokesperson told PublicTechnology: “We take the security of data very seriously and train our staff to ensure they are aware of the care needed when handling sensitive information. While incidents are rare, we investigate each of these and carry out regular risk assessments to prevent them happening in the future.”
25 million
Number of citizens whose data was on discs lost by HMRC in 2007
3,184
Number of data breaches suffered by the MoJ in 2017/18
28%
Proportion of 2017/18 MoJ data breaches that were attributable to the loss of devices, equipment, or paper files
786
Number of driving licences lost by Royal Mail in 2017/18, according to HMCTS
35%
Growth in volume of incidents across MoJ, MoD, Home Office, Defra, and HMRC between 2013-15 and 2016-18
The data breaches point to wider problems, according to Law Society of England and Wales president Christina Blacklaws. “It is a matter of concern that the MoJ, and the court service in particular, is responsible for so many data breaches,” she says. “Data security may well have been compromised by the poor quality of IT in the court service as a result of many years of underfunding. It is essential that the current programme of investment delivers robust new systems that minimise the risk of such breaches.”
Problems with court IT are well known. In January, all 362 courts and tribunal sites in England and Wales experienced connectivity problems. March saw problems affecting the Crown Court Digital Case System – used to host papers for cases – disrupting some hearings.
However, the high numbers may also partly be down to the ministry recording every data breach, regardless of impact. “The department manages millions of records of personal data and takes all incidents of personal data loss very seriously and requires staff to capture small, localised incidents, which comprise most of the figures cited above,” the MoJ said in its 2016-17 report. Other departments, including the MoD and Defra, do not record small local incidents. However, it is worth noting that the MoJ reported 10 serious incidents to the ICO in 2017-18, compared with just two each by the Home Office and HMRC and one by Defra.
Examining data from five years’ worth of annual reports reveals that the Ministry of Justice is responsible for far more incidents than any other government department. In 2017-18 it recorded 3,184 incidents, including 10 serious enough to be reported to the Information Commissioner’s Office. The Ministry of Defence, in second place, recorded just 117, with none reported to the ICO.
The nature of the MoJ’s work may also provide some explanation. It runs the justice system in England and Wales through HM Courts and Tribunals Service, the source of 70% of its recorded data breaches and the same proportion of serious incidents passed to the ICO. According to the MoJ’s 2017-18 annual report, the incident potentially affecting the most people took place in December 2017, when the names, addresses, email addresses and information requested by 1,070 people was uploaded to a public software code repository.
Other incidents involved more sensitive data, some of which could have placed individuals at significant risk of identity theft. In March and April 2017, full magistrates court lists including names, telephone numbers and email addresses, national insurance and driving licence numbers, ethnicity and employee details were sent to press agencies, rather than versions without this sensitive information, affecting 177 people.
“The kind of personal data held by the courts can be highly sensitive and of a confidential nature,” explains Angus Eaton, chief risk officer at law firm Slater and Gordon. “For example, it could include information that identifies anonymised or vulnerable victims of crime down to details of a person’s medical history or their finances. This will always increase the risk of harm to that person if there is a data breach.”
The MoJ has recorded several incidents that might have put people in physical danger in its last two annual reports. Three separate incidents recorded in 2017-18 involved courts or tribunals serving papers that included another party’s confidential address. The previous year’s report saw four incidents of this kind, including in January 2016 the new address of a domestic violence victim being posted to the defendant and September 2016 the new name and address of an assault victim being sent to the perpetrator – in a restraining order.
The justice system has also had numerous problems with couriers. In February 2017, a contracted courier lost Court of Protection application files on 95 individuals with data including medical assessments and care plans as well as names, addresses and dates of birth, while in October of that year another mislaid data on 48 people which included details of offences, national insurance numbers and medical conditions. The following month, a courier’s van containing case files was stolen, with data on criminal and alleged offences, financial means and potentially the details of victims and witnesses on 15 cases.
Court in the act
As with other departments, the MoJ categorised the incidents which it recorded but did not disclose to the ICO, rather than providing specific details. In 2017-18, 62% of these involved unauthorised disclosure, with a further 28% resulting from the “loss of inadequately-protected electronic equipment, devices or paper documents from outside secured government premises” and most of the rest resulting from losses of the same types of material within secured government premises.
The same year’s report from the Courts and Tribunals Service provided further explanation.
“HMCTS is one of the few departments that is still ‘paper-based’, particularly in the tribunals,” the report said. It said that 983 (44%) of the 2,239 data incidents that it recorded were down to external events, blaming Royal Mail for 786 incidents involving lost driving licences. It added that staff errors were responsible for more than half of the incidents where it was at fault, such as putting two items in the same envelope or sending items to the wrong address.
Tim Musson, managing director of Computer Law Training, says that while the breaches sounded horrendous, they were not surprising. “It’s not just the type of data, but the type of organisation, with lots of little centres all over the place, all contacting each other,” he says. The health and social care sectors have similar structures and are likely to experience similar volumes of problems but are split into hundreds of public sector organisations.
Musson says that the legal system presents further problems in that, unlike health and social care, personal data is shared by people working for a wide range of independent organisations, including barristers and law firms. “With the legal system, it’s very hard to keep things secure,” he says.
The justice system remains heavily reliant on paper, even in comparison to other parts of the public sector. Musson, whose company is based in West Lothian, says that digitisation is taking place slowly both in the Scottish legal system and in England and Wales. “It’s a very conservative system, and it doesn’t like changing, doesn’t think all this computer stuff is safe,” he says. If done correctly with use of data encryption, digital systems should be safer – although without this, it can make things worse. “I think it will need a major scandal of some sort, a major event, combined with significant enforcement from the ICO” for things to change, Musson says.
“There are some courts that already use e-filing systems and while cyberattacks remain a threat, digital transfer of files would undoubtedly reduce the risk of human error,” says Angus Eaton at Slater and Gordon. “Encryption can also be used when sharing confidential information which adds an extra layer of security that physical transfers cannot. For any business or organisation involved in the transfer of data, embracing technology is an obvious and necessary response in order to reduce any unnecessary risk.”
The MoJ may record the largest number of data breaches, but it is far from having the fastest rate of increase (see graph below – click on the image to open it in a new window, where it can be enlarged, magnified, and downloaded). Across five central government departments (MoJ, MoD, Home Office, HMRC and Defra), there were 5,642 breaches in the two-year period 2013-15, rising 35% to 7,621 in 2016-18. Defra was up 21% and MoJ up 33%, but far bigger increases were recorded by the MoD, up 172%, topped by the Home Office with an increase of 239%.
HMRC recorded 39% fewer breaches in the latter two-year period than in the earlier one, and more generally appears to have made significant progress since 2007-08, when its annual accounts recorded nine incidents reported to the ICO which potentially affected 25,034,458 people. Its 2008-09 accounts recorded five such incidents covering 141,303 people and its 2009-10 accounts disclosed one breach of personal data severe enough for it to report to the ICO, an unauthorised disclosure in January 2010 of – again – child benefit details, although this time potentially covering just 2,323 people. It disclosed a further 88 incidents that it recorded centrally, but which were not serious enough to justify ICO reporting. It appears to be on a downward trend in numbers: in 2017-18 it reported two incidents to the ICO – potentially affecting just nine people in total – and a further 30 centrally recorded incidents.
The General Data Protection Regulation came into force in May 2018, a few weeks after the end of the financial year covered by the most recent annual reports. Some departments mentioned changes planned to coincide with GDPR, with HMRC establishing mandatory education and awareness for all its staff, the Home Office reviewing its handling of data-breach incidents and Defra revising policies, processes and systems. The MoJ’s report said that its internal audit team had found insufficient progress on assessing risks, but added that it has since taken steps to prioritise readiness work.
Any changes resulting from GDPR will only become clear in the 2018-19 annual reports, but an increase in recorded breaches seems likely. An ICO spokesperson says: “Overall, since the implementation of GDPR on 25 May 2018, there have been more data breach reports because the law requires organisations to report serious security breaches to us within 72 hours. Data breach reporting speaks to accountability – a cornerstone of the GDPR – and it encourages organisations to invest in better security and data governance.”
“Justice is a very conservative system; it doesn’t like changing, and doesn’t think all this computer stuff is safe.”
Tim Musson, Computer Law Training
For Anitha Chinnaswamy, assistant professor in cybersecurity management at Coventry University, there are other reasons why data breaches are increasing. Securing paper is hard to do – “you can’t track it so you don’t know where your document has gone, you can’t audit it” – but the techniques are at least familiar and unchanging. With digital systems, organisations tend both to underestimate the threat and struggle to keep up with it, as criminals invent new methods of attack. “Before you know it, the threat has changed,” she says.
Despite extensive searches the HMRC discs were never found and Lord Darling guessed they were destroyed when they became a matter of national interest. “But the real problem was that in people’s minds the episode called into question the government’s competence,” he wrote. More than a decade later, despite better processes and stronger legislation, it is debatable whether departments including the MoJ have a strong enough grip on citizens’ personal data.
To produce this report, PublicTechnology and Civil Service World examined several years of annual reports from a selection of government departments and agencies which hold large amounts of personal data. The organisations largely publish this data in a standard format allowing comparisons, although it should be noted the amounts of personal data they handle and in some cases their reporting policies vary.