Are IT suppliers to blame for government data breaches?

The government is unfairly targeted for data breaches that are in fact caused by IT suppliers, a Home Office director said today.

The Home Office's group commercial director John Collington made the claim at the Government Computing Live conference in London today, as he explained what happened when a data breach hit last year.

The incident in question was the loss of a memory stick containing data on all 84,000 UK prisoners by an employee of contractor PA Consulting in August last year.

Collington was on vacation when an email popped up on his BlackBerry with the subject line "Urgent: Data Loss". Upon arriving back in the UK, the Home Office had set up a "disaster recovery team" to handle the loss.

He was told a member of a services supplier's staff had lost a memory stick. The contract in question was worth about 500,000 a fairly small one by Home Office standards and involved taking data from the prison service to share with police, to let them know when prisoners were due for release.

To do that, data was merged between the two agencies. To ensure security, that was only done in a secure environment inside known offices. However, the employee in question transferred the entire data set onto an unencrypted memory stick in order to move it onto a laptop she was working on. The stick then disappeared.

The employee immediately told her supervisors, who promptly told the Ministry of Justice (MoJ) and the Home Office. The police were brought in to search the offices and the employee's home and car for the missing memory stick, but it was never found.

Collington described the incident as "genuine human error," and said that despite this, the "Home Office was vilified in the press," with headlines calling the department "incompetent" despite the error being made by the consultancy firm. "It's the MoJ that have blundered, it's HMRC that have blundered... it's rarely the supplier that's blamed," Collington said.

In the end, PA Consulting did take a hit, very publically losing the contract, with the work brought back in-house. The employee was punished, too. "She lost her job. Her manager lost his job. Their manager lost their job as a consequence of that particular incident," Collington said.

Now, the Home Office has told suppliers and their own staff not to use data sticks anymore, and to "think carefully before using laptops." But processes alone are not enough. Collington wondered why the employee would choose to handle the data in such an insecure way, but noted that "kind of behaviour is prevelant."

Indeed, Collington said the government isn't the only organisation which needs to rethink its data handling suppliers need to, as well. "The culture change required needs to be embedded within each of our suppliers," he said.

Fellow panellist William Heath, of data consultancy Crtl-Shift, disagreed with the idea of putting the blame on private contractors, however. He noted that suppliers are simply "part of a systemic and cultural problem" across the government's data plans.

Click here for the lessons the government needs to learn to avoid data breaches.