ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Data breach exposes UK Department for International Trade's bad practices

An embarrassing data breach at The Department for International Trade has exposed its shocking Freedom of Information (FOI) practices. 

The breach, which has been dubbed a 'human error', showed the department to be in breach of multiple rules surrounding Freedom of Information. 


What happened?

A journalist at the news website and intelligence platform Politico was sent an email from the Department of International Trade that contained the entire FOI caseload for the government branch. 

Quite remarkably, this happened not once, but twice over a two-week period. All the files sent to the journalist were marked with a government security classification, which a follow-up email from the department pointed out. 

The breach did not contain names but did reveal which entities the requests came from, including NGOs, campaign groups, and media organizations including the Guardian and the BBC. 

What did the breach expose?

The breach exposed the Department for International Trade's shocking FOI practices, showing that a Cabinet Office 'Clearing House' stopped information from being handed over to journalists against the wishes of the Department's information officers.

The Clearing House, a wing of the Cabinet Office that ultimately decides how each FOI request is handled, has recently lost a legal battle regarding the opaque nature of their operations, and that it keeps a note of who makes the requests.

This is troubling because FOI requests are, legally, supposed to be devoid of reference to the interested party's identity, or 'applicant-blind'. 

As many on the Labour front benches have already pointed out, evidence of these practices means Michael Gove lied to parliament and, in turn, broke the ministerial code when he denied this sort of thing didn't exist whilst giving evidence to the house. 

What was the response?

According to Politico, The Department for International Trade said in their follow-up email that they would fulfill their obligation to report the incident to the Information Commissioner's Office. However, as it stands, The ICO is yet to receive a report about this incident. 

When a data breach occurs, public bodies have 72 hours to report it to the ICO if it does not pose a threat to people's freedoms. The Department argues that it does not fulfill the requirements to report it in this time period. 

Shadow Secretary of State for International Trade Emily Thornberry said of the breach:

What we are seeing revealed here is something deeply dangerous and corrosive to our democracy: evidence of a government department breaching the FOI guidelines, categorizing information according to its sensitivity and the person requesting it, and taking advice on handling requests from the secret Cabinet Office Clearing House

Emily Thornberry, Shadow Secretary of State for International Trade

The Shadow Secretary went on to say that it was vital to determine whether this was being done to "circumvent or delay the government's obligations under the law". 

Data breaches aren't always attacks

The important takeaway from stories like this is that although data breaches are often a result of an attack on a network, server, or system by some malicious actor, they can easily arise from human error.

Thousands upon thousands of emails are sent to the wrong recipient every single year, by companies big and small.

Clearly, even government departments aren't immune.

This data breach is, in an odd way, a virtuous one because it's exposed the bad practices going on at the Department for International Trade, and it was sent to a reputable media organization that has not used the information for malicious purposes, rather, have just reported on it. Luckily for the Department for International Trade, Politico complied with an order to delete the documents. 

It is, however, also a reminder that sometimes the biggest security vulnerabilities in an organization can be employees slipping up, or not taking enough care when handling sensitive information. 

Written by: Aaron Drapkin

After graduating with a philosophy degree from the University of Bristol in 2018, Aaron became a researcher at news digest magazine The Week following a year as editor of satirical website The Whip. Freelancing alongside these roles, his work has appeared in publications such as Vice, Metro, Tablet and New Internationalist, as well as The Week's online edition.


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service