All 84,000 prisoner details lost on unencrypted memory stick

The personal details of all 84,000 prisoners in England and Wales were lost by a contractor working for the Home Office on an unencrypted USB stick.

Private consulting firm PA Consulting lost the stick, which contained the names and dates of birth of every prison inmate, and in some cases their prison release dates. It also had the details of 43,000 more serious ex-offenders.

A full investigation was being conducted by the Home Office and Police, with the Information Commissioner's Office (ICO) also informed, with David Smith, ICO Deputy Commissioner, calling the incident "deeply worrying."

CCTV and the premises were checked but the stick was not found. PA Consulting said that it was collaborating with the Home Office on the incident, but offered no comment.

The Home Office said that it had encrypted the data before passing it onto the firm, but the lost memory stick itself was not encrypted and could therefore be accessed by anybody who found the device.

The fear is that if the details fall into the wrong hands it could leave prisoners with previous convictions in danger of retribution by the victim, and could leave the Government open to being sued.

A recent report by the European Network and Information Security Agency (ENISA) stated that USB sticks represented a big risk as they lacked security controls and were usually not covered by corporate security policies.

Greg Day, security analyst for security vendor McAfee, said that the loss showed that many businesses were still struggling to bring their own security procedures in line with new data loss legislation.

He said that PA Consulting could face legal action thanks to these amendments, if it was found guilty of "intentionally or recklessly disclosing information."

He said: "The latest loss of information illustrates again that these issues need to be addressed sooner rather than later, in order to avoid further embarrassments and to protect those people whose details may be at risk.

"Had the data on the memory stick been encrypted, its loss would have posed no risk. As a result of insufficient security procedures, this information could provide valuable information to those who may misuse it."