The UK’s Ministry of Justice (MoJ) reported a total of 16 data breaches and other cyber security incidents to the Information Commisioner’s Office (ICO) during the 2020-21 financial year (12 months to 31 March 2021), including two ransomware attacks against third parties in which the department’s data may have been compromised.
The two ransomware incidents were the October 2020 attack against Hackney Borough Council, which the MoJ reported may have affected data it had shared with the council, and against Ubiqus, an MoJ-accredited supplier of court recordings and transcription services, which was hit in December 2020.
The ICO is still investigating the Hackney incident, and its investigation into the attack on Ubiqus concluded with no further action being taken. According to the MoJ’s annual report and accounts, published on 16 December 2021, both cases affected the data of an unknown number of people.
Donal Blaney, founder of niche litigation practice Griffin Law, who has analysed the MoJ’s data, said the number of incidents was a concern given the nature of the department’s work.
“For the rule of law to mean anything, courts have to be adequately funded, properly staffed and competently run,” he said. “If the MoJ and HMCTS [HM Courts and Tribunals Service] cannot get their own houses in order, what faith can we have as a society that our justice system is not being run in a similarly inept manner?”
Edward Blake, area vice-president of EMEA for Absolute Software, said the increase in sophistication and quantity of ransomware attacks in the past two years meant that even if not directly impacted themselves, organisations needed to be aware that their data was still at risk from incidents at third parties.
“All organisations have been, and will continue to be, impacted by this growing threat trend,” he said. “As a result, it is no longer safe to assume that bad actors haven’t already secured the means to breach a business’s system.
“Therefore, implementing zero-trust protocols to prevent malicious parties from moving laterally through a business’s network is a vital precaution that organisations must take to protect themselves against this elevated cyber threat.”
Among some of the other incidents reported by the MoJ were an error at a third-party bulk scanning facility, which led to tribunal information being wrongfully attributed, and a number of cases in which the names and confidential addresses of victims of crime and domestic abuse were wrongfully shared, raising safeguarding concerns.
The MoJ also fell victim to incidents of user error – in one case, the audio feed from a cloud video platform relating to an interim care order hearing was accidentally livestreamed to Facebook – and malicious insiders – one member of staff was found to have accessed and taken screenshots of a prison computer system, disclosing confidential data of 72 offenders.
In another case, the Covid-19 vaccination status of 25 prison service staff was put at risk after a staffer at a third-party occupational health provider had their car broken into.
The single most impactful incident affected 5,231 individuals and 53 businesses, and saw inaccurate changes to plea data made following the use of a bulk amendment facility to update the cases of magistrates’ hearings that had been adjourned because of Covid-19. The ICO’s response to this incident is still pending.
The MoJ also saw a further 6,267 incidents that did not meet the ICO reporting threshold. Most of those related to information disclosed in error, for example data being sent to the wrong email address.
The MoJ said it takes all incidents of personal data loss very seriously, and that the department requires all staff to undertake mandatory data protection training when they join, and then every 12 months.
It said it continues to monitor and assess its data risks to identify and address weaknesses, and has also recently implemented new processes to improve its ability to conduct root cause analysis of incidents, and take remedial action.