Scottish Government bodies were in part to blame for four serious cyber-security incidents in the last year, according to documents obtained by The Times. Through FoI requests issued by the paper, unique insights into the nature of ‘four significant data security incidents’ over the last 12 months have been unveiled, including the discovery that each one resulted in the leaking of personal information belonging to members of the public.
The documents reveal that every one of the leaks arose from civil servants incorrectly securing emails or sending them to the wrong recipients. Additionally, The Times asserts that in three out of the four cases, the leaks were, “serious enough to breach data protection laws”.
Only broad outlines of the nature of the four incidents was published by The Times. The most severe of these errors involved Disclosure Scotland, the government body that manages criminal disclosure records. According to the documents, a civil servant for the agency caused an information breach when they sent out an email intended for a number of recipients under the ‘carbon-copy’ security field, as opposed to the ‘blind carbon-copy’ option where recipients are concealed.
A second serious incident involved the Scottish Public Pensions Agency, in which a civil servant emailed information to the incorrect recipient. The third incident saw an agricultural department repeat the mistake of Disclosure Scotland, using CC as the security option on a mass-email. The final breach was made by the Scottish Government itself, which mistakenly emailed ‘sensitive information’ to an external email address.
Murdo Fraser, MSP for the Scottish Conservatives, warned the Government that these incidents are ‘making it easier’ for cyber-criminals to take advantage of sensitive information. Fraser said: “The admission that the Scottish government has mishandled significant quantities of personal data and information vital to the running of the government is of grave concern to everyone in Scotland.
“These mistakes are entirely the fault of the Scottish government and, worryingly, may signal security weaknesses that hackers may find enticing. At the very least, it is crucial the Scottish government takes these mistakes seriously and adequately protects the private details of its citizens.”
A Scottish government spokeswoman told The Times in response to the disclosures: “We take cyber-security and data protection very seriously, and any breaches – although extremely rare – are treated with the gravity they deserve.
“Every incident of this kind is thoroughly investigated to ensure lessons are learnt and appropriate action is taken.”
These incidents exist separately of a ‘brute force’ cyber-attack that struck the Scottish Parliament in mid-August this year. The attack attempted to crack the passwords of Holyrood MSPs, but was unable to breach IT defences. Cyber-experts later speculated that the incident might have been a ‘test’ by a foreign power, designed to check how powerful Scottish barriers actually were.