Lost on USB drive: Confidential data on every prisoner in England and Wales

Filed Under: Data loss, Law & order


The Daily Telegraph is just one of the newspapers reporting this morning the latest in a string of recent data loss incidents to have struck the British authorities.

The British Home Office has confirmed that a USB memory stick containing the unencrypted personal details of convicted criminals has gone missing. Infomation on the thumb drive included names, addresses, dates of birth and - in some instances - prisoners' release dates.

The USB memory stick was in the possession of external contractor PA Consulting, a private firm working on J Track - an electronic system designed to help government departments monitor offenders. It is understood that the Home Office sent the data via email to PA Consulting in encrypted form, but it was then copied - unencrypted - to the now lost USB data stick.

In total almost 130,000 prisoners are said to have been affected by the data loss:

  • The files on the memory stick also included Police National Computer data detailing the names and addresses of England and Wales's worst criminals - approximately 33,000 people with six or more convictions in the last year.
  • Names and dates of birth (but not addresses) of 10,000 prolific and other priority criminals.
  • Names, dates of birth - and in some cases - expected release dates - of all 84,000 prisoners held in England and Wales.

In addition, the lost data included information from the Drugs Interventions Programme, but in this case the files had been "sanitised" by only using the initials of convicts rather than their full names.

The information lost is highly sensitive not only because of the usual dangers of identity theft, but also because of the risk of attacks on criminals who have served their sentences at the hands of avenging victims.

As we discussed on the blog last month, it's clear that people working with sensitive data are being slapdash in their use of USB memory sticks, and not thinking of the potential security risks.

Although companies can't strip search employees in order to prevent confidential data leaving the business premises each day, they can take steps to help fight data leakage. More and more organizations are looking to control access to USB ports, and examining data to assess its sensitivity and encrypting it as appropriate, to prevent them being the next company or government department making headline news.

Research has shown that approximately 95% of data loss is accidental, so companies need to take action to reduce the chances of an accident like this most recent example happening in their own organization.

* Image source: Nedko’s Flickr photostream (Creative Commons 2.0)

You might like

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.