Data on 84,000 U.K. prisoners is lost
A contractor for the Home Office had downloaded the unencrypted data to a USB memory stick for "processing purposes." Loss results in suspension of PA Consulting staffer.
Unencrypted data on all 84,000 prisoners in England and Wales has gone missing after a Home Office contractor lost a USB stick on which it had been stored.
Contractor PA Consulting alerted the Home Office to the loss last Monday evening--and by midday Tuesday, the contractor confirmed "rigorous" searches had failed to uncover the whereabouts of the memory stick and its cachet of sensitive information.
According to a Home Office statement, the missing USB stick contains:
- Data relating to all prisoners in England and Wales, including names, birth dates, and, in some cases, expected prison release data of about 84,000 individuals
- Data relating to prolific and other priority offenders, including the names and birth dates of approximately 10,000 individuals
- Drug Interventions Programme data, with offenders' initials
"We have been made aware of a security breach at the offices of an external contractor involving the loss of personal information about offenders in England and Wales," a Home Office statement said. "A full investigation is being conducted. Police and the Information Commissioner have been informed."
It added: "The data was held in a secure format on the contractor's site. It was downloaded onto a memory stick for processing purposes, which has since been lost. The transfer of data on this assignment to the external contractor has been suspended."
Following the breach, a member of PA Consulting staff has been suspended, a Home Office representative said.
The company was appointed by the Home Office in June 2007 to provide application support for tracking prolific and priority offenders through the criminal justice system.
Asked whether the Home Office will be terminating PA Consulting's contract in light of the security breach, the representative told Silicon.com, "We are investigating the external contractor's contractual obligations."
The Home Office refused to comment on whether security measures should have been in place to prevent unencrypted data being transferred onto a USB stick. The representative also refused to clarify exactly what security requirements the Home Office has for external contractors who handle sensitive data.
PA Consulting--which was selected in 2004 to also work with the Home Office on the design, feasibility, and business and procurement elements of the government's ID card program--said in a statement, "We are collaborating closely with the Home Office on this matter. We have no further comment to make at this time."
This is not the first time sensitive data held by the government has gone missing.
Just last month, it emerged that the details of 45,000 people, including criminal records and banking and court information, have been lost or compromised in the past year by the Ministry of Justice. And last year, two CDs containing the confidential personal details of 25 million child benefit recipients were lost by HM Revenue & Customs.
"It is deeply worrying that after a number of major data losses and the publication of two government reports on high-profile breaches of the Data Protection Act, more personal information has been reported lost," David Smith, deputy commissioner for U.K. data protection watchdog the Information Commissioner's Office, said in a statement. "The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability, if it is not handled properly and reinforces the need for data protection to be taken seriously at all levels. It is vital that sensitive information such as prisoner records is held securely at all times."
Smith added: "The Home Office has informed us that an internal investigation is being carried out into the data security arrangements between the Home Office and its contractor, PA Consulting. We expect the Home Office to provide us at the Information Commissioner's Office with a copy of the report and its findings. We will then decide what further action may be appropriate. Searching questions must be answered about what safeguards were in place to protect this information."
Natasha Lomas of Silicon.com reported from London.