The Crown Prosecution Service (CPS) of the UK has come under scrutiny after it lost DVDs containing sensitive interviews with child sex abuse victims during a postal transfer. This incident highlights ongoing vulnerabilities in data handling practices among organizations entrusted with sensitive information. The organization has been fined £325,000 for this breach, which marks the second occasion it has faced consequences related to the loss of sensitive video materials.
According to the Information Commissioner’s Office (ICO), the lost disks included interviews from 15 child victims that were intended for use in a trial. These recordings contained highly sensitive personal information, not only about the victims but also about alleged perpetrators and other involved parties. This loss has raised significant concerns regarding data protection protocols within the CPS, especially as the DVDs were shipped via tracked delivery but left unattended in a reception area of a shared office building outside of normal operational hours.
The circumstances of this loss are concerning. While the building had locked entry doors, the reception area remained accessible to anyone with entry to the facility. The DVDs were dispatched without proper tamper-proof packaging, leaving them vulnerable to theft or misuse. As of now, the whereabouts of the DVDs remain unknown.
This incident adds to a series of criticisms directed at the CPS, particularly regarding its management of sensitive investigations into sexual offenses, which have been compounded by budget constraints and staffing reductions. The current director of public prosecutions, Alison Saunders, announced her departure in October after a tenure marked by controversy, particularly regarding how high-profile rape cases were handled.
The records in question were dispatched in November 2016, but their absence was not recognized until the following month. It wasn’t until March of the subsequent year that the CPS informed the victims involved about the loss. The ICO has determined that the CPS acted negligently in its responsibility to securely manage such sensitive material, failing to consider the “substantial distress” caused by the potential exposure of this data.
Despite a previous incident in November 2015 that similarly resulted in lost victim and witness video evidence, the CPS was criticized for not implementing enhanced safeguards to prevent recurrence of such breaches. Steve Eckersley, the head of enforcement at the ICO, emphasized that the CPS’s failure to take fundamental steps to protect sensitive data erodes victim trust, which is crucial for encouraging individuals to report serious crimes.
In response to these difficulties, a CPS spokesperson stated that the agency has apologized to the families affected and expressed a desire to meet with them to address their concerns. The spokesperson reassured the public that there is currently no evidence suggesting unauthorized individuals viewed the lost material. Furthermore, the CPS has committed to a comprehensive review of its systems and processes concerning the receipt and management of video interviews. To mitigate future risks, the agency is rolling out a new system for secure online transfers of materials, eliminating the need to send recordings through the postal service.
In evaluating this incident through the lens of cybersecurity, one could identify tactics and techniques framed within the MITRE ATT&CK Matrix that may have been applicable. Although this case does not involve traditional cyber-attack techniques such as exploitation or command and control, it does reflect lapses in initial access and data handling, which could lead to exploitation if sensitive information falls into the wrong hands. The combination of negligence and inadequate security measures raises important questions about how organizations can fortify their data protection practices in the face of ever-evolving threats.
