Northern Ireland’s Department of Justice has suffered from an embarrassing data breach which has resulted in them being hit with a £185,000 fine by the Information Commissioner’s Office (ICO). The fine was reduced to £148,000 for early payment.
The data breach occurred when one of the department’s agencies, the Northern Ireland Compensation Agency, sent 59 locked filing cabinets without keys to auction without checking what was in them beforehand.
Once the person who bought the filing cabinet at the auction had managed to break into it, he then contacted police upon realising the contents within. The filing cabinet was full of confidential paperwork from the 1970s to 2005. This paperwork contained confidential data such as personal details belonging to victims of a terrorist attack, the injuries that they suffered and the amount of compensation that they had been offered.
The Police Service of Northern Ireland took the documents and handed them back to the department who in turn, reported the incident to the ICO.
After the ICO’s investigation, the Department of Justice have stated that they are confident that none of the data has been compromised as the cabinet had remained locked until the person who purchased it had forced it open. The department is also confident that none of the other filing cabinets contained any files and were keen to stress that they openly cooperated with the ICO as soon as they knew about the data breach.
Justice Minister David Ford stated, “I, and my Department, take the security of personal data very seriously and accept that this was a breach of the Data Protection Act and should not have happened. We informed the Information Commissioner as soon as we became aware of the breach. The Justice Committee was also subsequently made aware.
Ford added, “The Department has co-operated fully with the Information Commissioner and paid the penalty imposed. This was an unfortunate breach of data security caused by simple human error and not a systemic problem within the Department. We are satisfied that none of the information was compromised and none of the other cabinets sold contained any files.”
Ford concluded, “Detailed procedures have now been implemented to ensure that, in future, any personal data contained in furniture that is being disposed of will be dealt with securely.”
Ken Macdonald who is the assistant commissioner for Northern Ireland believes that the fine imposed is suitable due to the potential harm that this data breach could have had if the data had fallen into the wrong hands.
Macdonald stated, “This is clearly a very serious case. While failing to check the contents of a filing cabinet before selling it may seem careless, the nature of the information typically held by this organisation made the error all the more concerning. The distress that could have been caused to victims and their families had this fallen into the wrong hands is self-evident.”
This latest security breach just shows that it is now imperative that companies have a strict data security plan in place which is followed and fully understood by all employees. This is another incident where if the department had been proactive rather than reactive with ensuring that appropriate procedures were in place, they would have saved themselves a significant amount of money and damage to their reputation.