Lost on USB drive: Confidential data on every prisoner in England and Wales


The Daily Telegraph is just one of the newspapers reporting this morning the latest in a string of recent data loss incidents to have struck the British authorities.

The British Home Office has confirmed that a USB memory stick containing the unencrypted personal details of convicted criminals has gone missing. Infomation on the thumb drive included names, addresses, dates of birth and – in some instances – prisoners’ release dates.

The USB memory stick was in the possession of external contractor PA Consulting, a private firm working on J Track – an electronic system designed to help government departments monitor offenders. It is understood that the Home Office sent the data via email to PA Consulting in encrypted form, but it was then copied – unencrypted – to the now lost USB data stick.

In total almost 130,000 prisoners are said to have been affected by the data loss:

Sign up to our free newsletter.
Security news, advice, and tips.
  • The files on the memory stick also included Police National Computer data detailing the names and addresses of England and Wales’s worst criminals – approximately 33,000 people with six or more convictions in the last year.
  • Names and dates of birth (but not addresses) of 10,000 prolific and other priority criminals.
  • Names, dates of birth – and in some cases – expected release dates – of all 84,000 prisoners held in England and Wales.

In addition, the lost data included information from the Drugs Interventions Programme, but in this case the files had been “sanitised” by only using the initials of convicts rather than their full names.

The information lost is highly sensitive not only because of the usual dangers of identity theft, but also because of the risk of attacks on criminals who have served their sentences at the hands of avenging victims.

As we discussed on the blog last month, it’s clear that people working with sensitive data are being slapdash in their use of USB memory sticks, and not thinking of the potential security risks.

Although companies can’t strip search employees in order to prevent confidential data leaving the business premises each day, they can take steps to help fight data leakage. More and more organizations are looking to control access to USB ports, and examining data to assess its sensitivity and encrypting it as appropriate, to prevent them being the next company or government department making headline news.

Research has shown that approximately 95% of data loss is accidental, so companies need to take action to reduce the chances of an accident like this most recent example happening in their own organization.

* Image source: Nedko’s Flickr photostream (Creative Commons 2.0)


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.