Friday 9 August 2013

“Wilmslow, we have a problem” (Britain's latest big data breach)

Telephone intercepts can sometimes end up in the wrong hands. And, occasionally, technical difficulties mean that only one side of the conversation is intercepted. 

What might have happened if an intercepted conversation like this had been made public by Wikileaks, or some other group that leaks official secrets to the public at large?

Hi, is that the ICO’s Breach Notification Department? It’s Maud at the Serious Fraud Office. We’ve had a bit of an incident over here, and our interim Data Protection Officer thought you might want to know. It’s all a bit hush hush – so you mustn’t tell anyone else about it.

What? Dunno how it happened. Probably some kid on work experience got carried away with the address labelling machine in the post room, and stuck the wrong address labels on some boxes.

How many boxes did you say? Dunno. Enough to hold about 32,000 pages of documents, 81 audio tapes and a load of computer files.

When did it happen, did you say? Dunno. Probably last year between May and October.  We realised that something was wrong about 3 months ago, and we think we’ve recovered about 98% of the material.   So we’re only short of about 1,600 documents, a couple of audio tapes and a handful of computer files.

What were they about, did you say? Dunno – I haven’t read any of them. They came from that team that carried out a 6 year investigation into allegations that British Aerospace had paid bribes around the world to secure lucrative arms contracts. You know, the one that ended with BAE paying out almost £300 million in penalties. Yes, that was the one.

Who were they mistakenly sent to? I can’t tell you that. That’s against data protection.  These recipients have got rights, you know.

Whattdya mean we’ve got to fill in a breach notification form and you’ve going to start an investigation? We’re the ones that do the investigating around here.  

Civil Monetary Penalties? Are you mad? Do you think we’re seriously gonna cough up simply because some prat stuck the wrong labels on some bloody boxes? Don’t you know how many boxes there are, lying around our post room? We deserve medals for making sure incidents like this don’t happen every week.   It’s not that serious, you know. Nowhere near as serious as most of the crimes we’re trying to investigate.

Well, if you’re going to take that attitude, then there will be a problem. All I was told to do was give you a quick call on the sly so you’ve clocked that we’ve ticked the “no publicity” box for this incident. Stuff like this is embarrassing. So keep it quiet, ok?

Whattdya mean it’s all over the papers today?


In that case, the SFO will revert to plan B. We’ve given you an oral report of the incident. So what if it's 3 months late.  If you want one in writing it’ll take us another 3 months – and by the time you guys have had satisfactory answers to every point you raise it’ll be well into autumn 2014. By that time, hopefully some other poor sod will have reported an even more newsworthy data breach, and the heat will be off us. Oh, and our interim Data Protection Officer tells me we’re fast running out of money, so there’s no hope of you slapping a huge fine on us for our sloppy data handling standards. We’ve stopped school kids from getting work experience in the post room, and that’s all that can be done right now.  They’ve been reassigned to the typing pool, instead.

Oh, and don’t go around in public mouthing off about us or telling everyone that you’re investigating us. There must be a law against that, somewhere.

Section 59 of the Data Protection Act prevents the Information Commissioner or his staff from revealing what enforcement action they intend to take, until it has been taken (unless the news is already in the public domain). So we can only dream about what may happen.