Computer equipment storing more than 400,000 confidential court files was stolen from a court - and the theft only discovered months later when it appeared for sale on eBay, the Gazette can exclusively reveal.
The network server, which contained personal details of victims and witnesses, was apparently stolen by a subcontractor in January 2012 during the decommissioning of Salford Magistrates’ Court. The server was subsequently returned but police have been unable to trace the thief.
The Ministry of Justice revealed basic details of the theft on page 31 of its annual report released in June.
Justice minister Helen Grant last week confirmed that the theft only came to light in May 2012 when the server was put up for sale on eBay still bearing an IT contractor’s logo.
The incident was reported to the Information Commissioner’s Office, following an internal inquiry. The ICO has said it will not comment while it is handling an investigation into the theft.
The ICO has been active this year in punishing public bodies for data breaches.
In July it fined NHS Surrey £200,000 for failing to check the destruction of old computers and in June it fined North Staffordshire Combined Healthcare Trust £55,000 for sending faxes to the wrong people. Glasgow City Council, Stockport PCT, the Nursing and Midwifery Council have also been fined between £100,000 and £150,000 this year for data protection breaches.
Shadow justice minister Andy Slaughter called the incident ‘one of the most serious leaks’ from the current government and demanded to know why the MoJ took so long to respond.
‘Details of hundreds of sensitive files which could put victims and witnesses in criminal trials at risk have been stolen,’ said Slaughter.
‘The data was recovered only because it was advertised on eBay, but the thief was not caught, nor were potential victims informed.’
In a response to a written question from Slaughter, Grant said a police investigation had found insufficient evidence to identify who stole the server and no charges were brought.
She confirmed that the server, which was valued at £1,200, contained ‘personal and sensitive data, including court documents and emails’.
Grant said the MoJ had conducted a ‘detailed forensic analysis’ of the recovered server that suggested it was unlikely that information had been taken.
‘The audit did not identify any access to the files during the time the server was not under the control of MoJ and therefore no action has been taken to inform those affected,’ she added.
‘The matter is still under investigation by the ICO and we await their report.’
Salford was one of 142 courts allocated for closure by the coalition government in 2010 and it was finally shut in December 2011. The grade-II listed building (pictured) is now likely to be turned into flats.
The MoJ’s annual report revealed a total of 2,394 protected personal data-related incidents in 2012/13.
More than half of these were described by the department as ‘unauthorised disclosure’, with a further 771 incidents involving the loss of inadequately protected electronic equipment, devices or paper documents from outside government premises. A further 192 incidents involved data loss from inside secured government premises.
Compared to 2011/12, there were 395 fewer personal data losses across the department – a 14% reduction.
The MoJ said this was a ‘significant achievement’ made possible by risk management work by HM Courts & Tribunals Service.