Seven strange UK data breaches involving lost or unprotected information

Seven strange UK data breaches involving lost or unprotected information

A lot of the data breaches that appear in the news are ones that happen in the digital world. Mysterious hacks, information accidentally shared online, or even huge companies sending out communications and forgetting to use BCC. However, there are still many data breaches happening in the physical world.

Here are seven strange data breaches that involved lost or unprotected physical information.

1) A pharmacy that was reported to have left half a million patient records outside its back door.

The first-ever fine issued under the GDPR went to a pharmacy in Burnt Oak, North West London. The Information Commissioner’s Office issued a £275,000 fine to the pharmacy for leaving what was originally thought to be 500,000 documents in 47 unlocked crates, 2 bags, and even a cardboard box in its rear courtyard –  exposed to the elements and the risk of theft. The documents contained names, addresses, dates of birth, NHS numbers, prescription information and medical information relating to a suspected 78 care homes – though the pharmacy disputed this.

In the enforcement notice sent to the pharmacy, it states “some of the documents were soaking wet, indicating that they had been stored in this way for some time”.

In its appeal, the pharmacy identified that only 73,719 documents had been recovered from the premises. However, because it did not maintain a retention policy or effectively destroy information when it was no longer needed, its appeal was rejected. The fine, though, was reduced to £92,000. But why not just destroy the documents? For a pharmacy that handles so much sensitive information, this is a strange case.

2) Classified documents found at a bus stop.

Illustration of paperwork found behind a bus stop

Probably the most well-known physical data breach in recent UK history, back in June 2021, around 50 documents were discovered in “a soggy heap” behind a bus stop in Kent. The documents were discovered by a member of the public who then contacted the BBC. The BBC revealed that the documents – some of which were marked “Secret UK Eyes Only” and “Official Sensitive” – originated from the Ministry of Defence.

Angus Lapsley, the civil servant who was later named as the individual who misplaced the documents, had self-reported the loss on the same day the documents were found. This is reported to have occurred five days before the BBC published the story. He initially denied that the documents were top secret in nature. Despite this, he was not charged with breaching the Official Secrets Act.

While it is unfortunate that the documents were given to the press, they could have been discovered by someone with worse intentions. This case shows the importance of keeping confidential materials under lock and key when not in use. Labour’s Shadow Defence Secretary, John Healey, expressed his surprise that the documents had been taken out of the Ministry of Defence at all.

3) The USB stick that held information about the late Queen’s travel security arrangements.

Back in 2017, a man was walking to his local library when he stumbled across a lost USB stick. He accessed its contents on arrival at the library. When he realised what it contained, he handed it to the press.

The USB, which was unencrypted and didn’t have password protection, contained 76 folders. These folders contained maps, videos, and many documents. These files included the exact route the Queen would take when using a specific London airport and the precise security measures used to protect her. It also contained sensitive information of up to 60 people. This included ID used by covert police officers. It also included a huge amount of information about the airport’s general security. For example, routes and safeguards for ministers and foreign dignitaries, a timetable of guard patrols, details of the ultrasound radar system used to scan runways, and maps pinpointing CCTV cameras, tunnels, and escape shafts linked to the airport’s express train.

The airport launched a “very, very urgent” investigation according to The Mirror. However, it was ultimately fined £120,000 by the Information Commissioner’s Office, which was not alerted about the loss of the USB device and first became aware of it via the media.

The contents of the device would be extremely valuable to anyone interested in attacking the UK. The strange thing about this case is that, at the time, no one knew how the USB ended up on the street. Why did it have all that information to begin with? It could have been simple incompetence by airport security, or something much more sinister. Ultimately, the airport’s own investigation deemed it was the former.

This incident showcases the importance of encrypting your devices. When your devices are no longer needed, they should also be destroyed to prevent loss or theft.

4) The NHS computers sold online with hard drives still intact.

Image of electronics for sale on a laptop screen

Way back in 2012, NHS Surrey (now dissolved) was doing business with a local destruction company. What was strange in this instance was that the trust and its new provider didn’t have a formal contract in place. This is highly unusual considering the sensitive data involved. The destruction company had been performing free wiping and destruction of computer equipment for the trust with the agreement that they could sell any salvageable parts after destruction.

Unfortunately, NHS Surrey was then contacted by a member of the public who had purchased a second-hand computer online. On this computer was a treasure trove of confidential and sensitive personal information. This included HR records and patient records relating to around 900 adults and 2,000 children – all treated by NHS Surrey.

The trust scrambled to recover ten computers that once belonged to them. Three of these still contained sensitive personal data. The ICO fined the trust £200,000 for failing to protect the information of its patients and staff.

This happened within months of another hospital trust being fined £325,000 as a result of hard drives being stolen and sold online. In that case, the thief was an individual working for the company that had been contracted to destroy the hard drives.

These cases show that you should be very careful with the companies you use for information destruction. Only use fully accredited and professional companies.

5) Military science base secret files discovered in a recycling bin in a North London car park.

In 2019, a member of the public discovered 30 years’ worth of sensitive paperwork in the recycling bin of a North London car park. These files were then shared with The Daily Star. It was then revealed that the documents belonged to Porton Down Science Campus – Britain’s top-secret chemical warfare base that carries out research into chemical weapons and deadly diseases.

The Daily Star reported that the documents contained details of equipment carried by guards at the site, passwords to computer systems, details about the police who patrol the perimeter of the base and even the home address of one guard. The Salisbury Journal also published that the documents also contained HR forms of former employees.

While it has never been revealed how these items found their way into a car park’s recycling bin, this case demonstrates the importance of securely destroying any personal documents that are no longer needed. Luckily, these documents were not found by someone with malicious intentions.

6) The Cabinet Office minister photographed throwing classified paperwork into a park bin.

Illustration of someone putting paperwork into a public park bin.

In another case surrounding the incorrect disposal of confidential materials, we travel back to 2011. In this event, we find a government employee at the centre. Conservative minister, Oliver Letwin, was photographed by the Daily Mirror dumping documents into public waste bins.  The 100+ documents recovered by the Mirror reportedly included correspondence from constituents, intelligence and security committee letters, and more.

The Information Commissioner’s Office investigated these incidents and ruled that Letwin was in breach of the Data Protection Act. He was then ordered to sign papers binding him to keep constituent details safe.

Ed Miliband, the Labour leader at the time, accused the minister of “treating important papers with contempt”, commenting that it was “very strange behaviour”. We agree, Mr Miliband! Shredding is a much safer option.

7) USB sticks lost by a senior IT worker at a nuclear plant.

In 2023, a senior IT worker at a nuclear plant was dismissed after losing USB sticks in the plant’s car park. The employee, who had worked for the company for over 20 years, was eventually discovered to have been taking information off-premises and saving it to personal devices to work on the materials from home. The employee had not sought permission to do this. She was ultimately found out when the devices were discovered in the car park by a colleague. Fortunately, these devices were lost on company premises.

While, on the surface, this seems like an innocent enough explanation, it is worth all businesses making their Bring Your Own Device policies clear to workers – particularly those who do work from home.

These are just seven higher-profile incidents of confidential materials being lost or improperly disposed of in modern UK history. Hundreds of others happen every year. From patient files discovered at abandoned nursing homes in Hampshire and Norfolk to information about thousands of Housing Association tenants found on a USB stick at a pub, physical data breaches can happen anywhere.

These seven incidents can be used as a cautionary tale for any person, business, or public body that holds personal or sensitive information. If in doubt about what to do with confidential materials you no longer need, feel free to contact our experts. We can assist you with your destruction requirements for paper, hard drives, USB sticks, and much more.

Sign up for our newsletter to receive alerts about new blog articles, data protection advice, and Shred Station news.