MoJ Fail To Protect Precious Data From Cyber Criminals

The Ministry of Justice, the umbrella ministerial department that oversees the work completed by The Office of the Public Guardian, HM Courts and Tribunals Service, The Legal Ombudsman and The Law Commission has continually failed to prevent data breaches from taking place, leaving millions of vulnerable people exposed.

In 2018, the governmental ministry that holds sensitive data on the UK’s most vulnerable people suffered at least 2,940 data security incidents. This means that precious data on people that lack capacity, people using lasting power of attorneys, or probate information could have been exposed to cyber criminality within the last year.

Unfortunately, this has been a reoccurring theme within the department as a freedom of information request (FoI) made by the National Audit Office in 2016 found that 2,801 serious data breaches had taken place by the end of the year.

The Ministry of Justice and the sensitive data it holds has long been a target for cyber attacks. In 2013, the Information Commissioner’s Office (ICO) fined the MoJ £140,000 for insider negligence after all prisoner details within HMP Cardiff were emailed to the families of three prisoners. Similarly, in 2014 a hard drive containing the data of 2,945 prisoners in a Wiltshire prison was lost, resulting in the ICO fining the MoJ £180,000.

The FoI request comes just days after a recent report by Egress found that only 28% of all domains are using DMARC to prevent impersonation and phishing email attacks.  

The data security company Egress found that the majority of domains are ill equipped to deal with spoofing and impersonation fraud. It ran the test just weeks before the Government’s Secure Intranet (GSI) system, which has been operating on all internal governmental communication since 1996, is set to be replaced by the end of March 2019.

What they discovered was a lack of preparation from many government email administrators. From the 2,000 email domains that were checked, it was clear that almost three quarters were vulnerable to phishing attacks.

53% of the domains that had integrated DMARC also had their policy set to ‘do nothing’ which places each email box in immediate threat. These settings would enable hackers and cyber criminals the opportunity to send spam and phish messages direct to email boxes. It also means that Business Email Compromise (BEC) and email buffering can’t be prevented.

The Ministry of Justice, commented: “We take the security of data very seriously and deliver specific training to our staff to ensure they are aware of the care needed when handling sensitive information. While incidents are rare, we investigate each of these and carry out regular risk assessments to prevent them happening in the future.”

Tommy Sheppard, spokesperson for the SNP, said: “Sharing our personal data with government is done on the basis of trust. It’s a necessary part of the relationship between citizen and state but we must have confidence that departments are treating our data in confidence and minimising the risks of it falling into the wrong hands. The UK government continues to play fast and loose with people’s personal data, which could have serious ramifications.”

How damaging could these data breaches be to the Wills, Probate and Estate Planning Sector?