The UK government is investigating a potentially damaging data loss incident after admitting two discs containing information related to three highly sensitive police inquiries have gone missing.
The police probes were set up to find out what part the cops played in the deaths of three men – Robert Hamill, Azelle Rodney and Mark Duggan. The shooting of the latter in Tottenham in 2011 sparked some of the worst rioting in the capital in recent history.
The authorities became aware of the data loss on 8 January, with the two discs of data going missing in the post. “Intensive searches” by police have so far been fruitless.
The government said the following in a lengthy statement:
“Treasury Solicitor’s lawyers were commissioned to undertake a review of all the documents in question, to identify any confidential or sensitive information relating to individuals or agencies and enable any risks to be assessed. Individuals will be contacted, where appropriate, to inform them of any personal information relating to them.
As well as safeguarding individuals’ interests, the government has undertaken urgent investigations into how this incident was able to happen, and further investigations continue in relation to both the conduct of individuals and the organisational safeguards against information security breaches of this kind. A member of staff has been suspended to facilitate the investigation. Once concluded disciplinary action will be taken if appropriate.”
All three inquiries have completed their work, with the Hamill Inquiry yet to publish its report, the government added.
Data protection watchdog the Information Commissioner’s Office (ICO) has been informed and will probably begin its own investigation.
It is not clear if the lost data was encrypted or not.
Charles Sweeney, CEO of web security firm Bloxx, argued that if the data breach was the result of a calculated malicious insider it would likely have been executed with more sophistication.
“Instead it would appear that this is a simple, and embarrassing, case of user error. Given the sensitive nature of these documents more attention should have been paid to how the information was being disseminated,” he told Infosecurity.
“It will be interesting to see the reaction of the ICO, as it is usually very robust in its response to such incidents."
Bharat Mistry, cyber security consultant at Trend Micro, told Infosecurity that organizations need to have robust security awareness and data handling procedures in place which are tested on a regular basis to ensure that they are being followed.
“This case in point reflects the disconnect between the goals of a business function and the mission of the security team,” he added.
“In most organizations the business function will take risks to gain a competitive edge, whereas the Security Team will be very much risk averse and put in place controls or policies that inhibit enablement or productivity.”