This article is more than 1 year old
Home Office lost its workers' completed security vetting forms
Terrible Theresa's department caught making worst security blunder of all
The Home Office has admitted to The Register that among its data breach incidents last year was one in which security vetting documents disappeared from within secured government premises.
Through the Freedom of Information Act, The Register has learned that the Home Office – responsible for the UK's domestic counter-intelligence and security agency, MI5 – lost documents containing "sensitive personal information relating to security vetting." In a separate incident, at least one birth certificate was lost.
The documents were "lost internally between the recipient of the postal package and the vetting team" within a Home Office government building, the department admitted, adding that "the contents had not been reviewed."
Last year we reported that the Home Office suffered 33 data breaches which were not reported to the Information Commissioner's Office, although the department has now claimed one incident was noted incorrectly.
There were eight instances in which "inadequately protected electronic equipment, devices or paper documents" had been lost "from outside secured government premises", 13 instances of "Unauthorised Disclosure" and nine listed under "Other".
Lost outside of secure premises
All of the information lost outside of secure government premises related to "borders and immigration activity" and held content which the owners could not recall in its entirety. The time frame was financial year 2014/15.
- July 2014: Bag left on train contained notebook.
- August 2014: Bag stolen from car contained work notebook and uniform epaulettes.
- September 2014: Bag stolen from car containing paper documents.
- September 2014: Equipment belt and pouch stolen from car, with a work notebook in the belt. The notebook was recovered by the police and returned to the Home Office.
- January 2015: Dictaphone "lost in the home of member of staff". However, "Encryption means device could be locked to remote access. No access to information."
- February 2015: Bag stolen from car, containing two notebooks. Both were recovered by the police and returned to the Home Office.
- February 2015: Another bag stolen from car, containing two notebooks. Both were recovered by the police and returned to the Home Office.
- March 2015: Car broken into, devices and paper stolen. The paper documents were recovered by the police and returned to the Home Office. The devices "were encrypted and locked to remote access. Not access to information [sic]."
Unauthorised disclosure
The majority of data breaches under "unauthorised disclosure" focused on borders and immigration activity. They included a commercial partner's error in which about 150 data subjects had their details lost, although no further information was provided about who the commercial partner was, nor how the Home Office was sure about the figure of 150.
A previous unauthorised disclosure, which was reported to the ICO, featured the Home Office accidentally publishing the personal details of 1,598 migrants.
Other disclosures included:
- May 2014: Paper documents were faxed in error to the wrong business, after a member of staff "mis-keyed one digit in a fax number". The Home Office noted that "the documents were returned by the private business."
- June 2014:Paper documents given to a driver in error. "The personal information in the file was about the data subject to whom the file was given."
- June 2014: A document containing the details of 19 data subjects was emailed in eror internally to another member of staff. The email, containing information related to a misconduct hearing, was deleted.
- July, 2014: Another fax was mis-keyed.
- September, 2014:A commercial partner published information relating to borders and immigration activity, affecting "150" data subjects. According to the Home Office, the partner's website “was updated regularly” so “figures were not exact.”
- October, 2014: Paper documents sent to three recipients in error. "Information was recovered and returned to Home Office."
- November, 2014: Paper documents sent to three recipients in error. "Information was recovered and returned to Home Office."
- November, 2014: Paper documents sent to three recipients in error. "Document was securely destroyed by member of staff who received it in error."
- November, 2014: Information emailed in error.
- December, 2014: Paper documents given to wrong recipient in error.
- December, 2014: Information emailed in error.
- January, 2015: Paper document disclosed in error. "Document was securely destroyed."
- January, 2015: Information disclosed verbally in error.
Other
- June 2014: Papers taken by non-Home Office personnel in error. "Person responsible handed in all documents to local police station. The police securely destroyed it."
- July 2014: Paper documents mislaid – circumstances of loss unknown
- July 2014: Paper documents mislaid – circumstances of loss unknown
- September 2014: Insufficient access controls in place to folder on internal Home Office IT system, containing personal information around police vetting.
- October 2014: Laptop stolen from solicitors chambers – device was password protected and had remote wipe facility which was activated. No access to information.
- November 2014: Work notebook misplaced. Circumstances of loss unknown.
- February 2015: Notebooks misplaced – circumstances of loss unknown.
- February 2015: Information that was emailed to a third party (outside of the secure network) was not encrypted.
- March 2015: Paper document misplaced within Heathrow Airport – circumstances of loss could not be recalled.
The Home Office was unable to estimate how many data subjects were affected by these breaches, as incomplete information was available on several of them. ®