Serious Fraud Office fined £180,000 for BAE data breach

Serious Fraud Office fined £180,000 for BAE data breach

The Serious Fraud Office (SFO) has been fined £180,000 after thousands of confidential documents from a high-profile bribery investigation were mistakenly sent to the wrong person.

The papers, from an investigation into a BAE Systems deal, contained evidence relating to 64 people. They were wrongly sent to a witness in the case in an “astounding” lapse, the Information Commissioner’s Office said. The SFO said it had “substantially overhauled its procedures”. It is the first time the SFO has been fined by the UK’s privacy regulator.

The documents – including bank statements, hospital invoices and passport details – related to the SFO’s investigation into allegations that executives at BAE received payments as part of an arms deal with Saudi Arabia. The al-Yamamah deal involved the sale of tens of billions of pounds worth of arms by BAE to Saudi Arabia, beginning in the 1980s and ending in 2006 with the sale of 72 Typhoon fighter jets.

Allegations of corruption and bribery led to an SFO investigation in 2004 but it was closed in 2006 on grounds of public interest, amid concerns that relations with Saudi Arabia were being harmed. After it was closed, the SFO sent more than 2,000 bags of evidence to “Witness A” between November 2011 and February 2013.

‘Sensitive’ evidence

It was later discovered that a “relatively inexperienced” temporary worker had mistakenly sent 407 of the bags belonging to 64 people to the witness, the Information Commissioner’s Office (ICO) said. Despite the witness contacting the SFO to say he had wrongly received some evidence in November 2011, the SFO sent him more in May 2012, the regulator added. This was despite the witness’s concerns being raised at a “senior level”.

The breach was likely to have caused “substantial distress” to witnesses, the ICO said, as there was evidence some of the information was disclosed to a national newspaper and “possibly disseminated overseas”. The SFO began investigating the breach after details were requested in response to a parliamentary question in June 2013.

At that time Labour MP Emily Thornberry told Parliament the documents had been found in a storage facility which was also being used as a cannabis farm in east London. People will be “quite rightly shocked” the SFO failed to keep the information of so many individuals secure, ICO deputy commissioner David Smith said. “Given how high-profile this case was – and how sensitive the evidence being returned to witnesses potentially was – it is astounding that the SFO got this wrong,” he said.

The SFO has since recovered 98% of the documents and taken action to ensure adequate security checks, the ICO said. A SFO spokeswoman said the fine was “expected”, adding: “The SFO took immediate action to recover the data and, following two independent reviews, substantially overhauled its procedures to ensure this mistake could not be made again.”


Why not make the transition from hard copy to electronic storage of documents? It’s easier than you think, click on the link…