Skip to content ↓ | Skip to navigation ↓

The Serious Fraud Office (SFO), an independent UK Government department whose mission is to investigate instances of serious and complex fraud, was recently fined £180,000 following a data breach during one of its investigations.

In 2004, the SFO initiated an investigation into an arms deal between aerospace company BAE Systems and Saudi Arabia in response to allegations of corruption and bribery. The deal, which stretches back to the 1980s, ended in 2006 with the sale of 72 Typhoon fighter jets.

The Serious Fraud Office closed the case in 2006 amid concerns that UK-Saudi relations might be harmed if it went forward with the investigation.

Four years later, a data breach occurred when the SFO mistakenly sent over 2,000 bags of evidence pertaining to the case to “Witness A” between November 2011 and February 2013.

A “relatively inexperienced” temporary worker sent 407 of the bags belonging to 64 people to the witness, the SFO later discovered.

Worse still for the Serious Fraud Office, the witness to whom the evidence was sent disclosed the breach to The Sunday Times, which ran a series of articles based on the misstep.

In total, the confidential personal information of 6,000 people, some of whom were in the public eye, as well as the sensitive personal information of two subjects, was compromised in the incident.

The SFO did not begin investigating the breach until 2013, after details of the error were requested in response to a parliamentary question.

“Given how high-profile this case was, and how sensitive the evidence being returned to witnesses potentially was, it is astounding that the SFO got this wrong,” said David Smith, Deputy Commissioner and Director of Data Protection at the Information Commissioner’s Office, an independent UK authority responsible for fining the SFO.

“This was an easily preventable breach that does not reflect well on the organisation. All law enforcement agencies should see this penalty as a warning that their legal obligations to look after people’s information continue even after their investigation has concluded.”

The SFO has recovered 98% of the documents and is taking action to make sure there are adequate security checks in place to ensure any case files containing personal information are delivered to their correct recipients.