The UK’s Crown Prosecution Service (CPS) has recorded over 1600 data breaches over the course of a year, including scores of unauthorized disclosures classed as “severe,” it has emerged. The data featured in the CPS annual report revealed a total of 1627 recorded data breaches in the 2019-20 financial year, up 18% from the previous year. These included 59 incidents that were serious enough to be reported to the Information Commissioner’s Office (ICO). The vast majority (1463) of incidents related to unauthorized disclosure, which usually indicates some form of human error was to blame. Although most (1385) of these were classed as “very minor” or retained within the criminal justice profession, 78 were classed as “severe.”
I’d definitely refrain from criticising the Crown Prosecution Service (CPS) unless we have a better and multidimensional understanding of the reported incidents. It is likely that most of them are of an insignificant nature and should have never been classified as a “data breach”. Furthermore, we should first compare the numbers with their national and international peers prior to making accusatory conclusions. Undoubtedly, a considerable part of the incidents stems from people, as human error, carelessness and negligence continue to be the dominating root causes of data leaks in companies and organizations around the globe with no exception.
Moreover, as most of the law enforcement services, CPS is considerably understaffed and underfunded for its in-house data protection and cybersecurity. The unprecedented havoc caused by the pandemic has exacerbated the situation with rapid growth and complication of the threat landscape, let alone third-party risk management. Cybersecurity personnel are already exhausted and overcharged with mushrooming problems, and they simply cannot police every single employee and subcontractor of the CPS who has privileged access to some sensitive data.
To tackle the issue, the government should urgently re-evaluate the financial needs of its law protection agencies and adjust the funding to reality. Otherwise, one day the most sensitive national data will become public and trigger a parade of horrors – from a tsunami of lawsuits to hundreds of suicides.
As the revelations that the UK’s Crown Prosecution Service (CPS) underscore, although many consider a breach to be driven by cybercriminals, the biggest contributor is still old fashioned human error. Whether it be from innocent, unintentional mistakes at one end of the spectrum to depraved indifference and incompetence at the other end, many of these unintended disclosures stem from the presence of sensitive data. In some cases the sensitive data is extraneous – such as pulling analytics reports that contain full datasets instead of minimally targeted ones – while in other cases the data is absolutely necessary. To truly get a handle on where data is and who is using it – not to mention the data that exists but isn’t being used – organizations absolutely must be performing continuous discovery and classification followed by rigorous protection of the identified sensitive data using data-centric security technologies such as tokenization. These technologies prevent breaches, accidental or otherwise, and ensure that the most sensitive data is identified and protected regardless of where it exists or who has possession of it – all while maintaining the referential integrity so that analytics, searching, and access by authorized users is still possible.