Two prisons failed to encrypt their data because nobody told them how
The Information Commissioner’s Office (ICO) has hit the Ministry of Justice (MoJ) with a £180,000 fine over repeated security failings of the prison system in England and Wales.
For example in May 2013, HMP Erlestoke prison in Wiltshire lost a back-up hard drive with confidential information about 2,935 prisoners. This included the details of their victims, visitors, links to organised crime, medical and drug history. Such information could pose a security risk in the wrong hands.
In 2011, a similar incident involving the details of 16,000 inmates happened at HMP High Down prison in Surrey.
To make matters worse, the hard drive that went missing from Erlestoke prison was unencrypted, despite the fact that the prison service provided new drives with self-encrypting capabilities to all 75 prisons in England and Wales in 2012.
ICO said its latest investigation found that the prison staff simply didn’t realise that the encryption option on the drives needed to be turned on to work correctly.
“The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief,” said Stephen Eckersley, head of enforcement at ICO.
“This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally setup correctly.
“We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”
The MoJ is now working with the National Offenders and Management Service to ensure all of the hard drives being used by prisons are securely encrypted. The ICO advises organisations to encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
In total, the watchdog has issued £700,000 worth of penalties in just three recent cases where breaches could have been easily prevented by using encryption properly.
In July, UK-based online travel agency Essential Travel was fined £150,000, after hackers got their hands on more than a million debit and credit card records, as well as other customer data. It later turned out that while some of this data was encrypted, the encryption key was stored on the same server and could be easily accessed.
What do you know about tech regulators around the world? Take our quiz!