U.K. Ministry of Justice Fined for Data Breach


The U.K. Information Commissioner's Office (ICO) recently fined the Ministry of Justice £140,000 after the details of all 1,182 prisoners at HM Prison Cardiff were mistakenly e-mailed to three of the inmates' families.

The breach was only discovered when one of the recipients contacted the prison on August 2, 2011 to report that they had received a spreadsheet containing 1,182 prisoners' names, ethnicities, addresses, sentence lengths, release dates, and coded details of their offenses.

An internal investigation determined that the same spreadsheet had been mistakenly attached to e-mails at two other times during the same month.

According to the ICO, the police and a member of the prison staff went to each recipient's home to ensure that the files had been deleted.

The ICO was informed of the breaches on September 8, 2011. The ICO's investigation determined that the clerk responsible for sending the e-mails was working unsupervised, despite having only worked at the prison for two months with limited training. The investigation also found that prisoner's records were routinely transferred on unencrypted disks.

"The potential damage and distress that could have been caused by this serious data breach is obvious," ICO deputy commissioner and director of data protection David Smith said in a statement. "Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses."