MI5 slapped on the wrist for 'serious' surveillance data breach

Auditors poked around for a week after too many Peeping Toms had a trawl

By Gareth Corfield


Home Secretary Sajid Javid has confessed to Parliament that MI5 bungled the security of "certain technology environments used to store and analyse data," including that of ordinary Britons spied on by the agency.

In a lengthy Parliamentary statement made last week, Javid obliquely admitted that spies had allowed more people to help themselves to its treasure troves of data on British citizens than was legally allowed.

The Home Secretary's statement referred to how "certain [data] processing" by MI5 and other spy agencies "is kept to the minimum necessary for the statutory purpose, including the number of people to whom material is made available, the number of copies made and the length of time it is retained."

Given how notoriously lax UK law is when it comes to allowing state employees to trawl through whatever personal data they fancy with few meaningful prior permissions required (known in the jargon as "lawful interception"), Lord Justice Fulford, the Investigatory Powers Commissioner and head of audit agency IPCO, characterised the breach as "serious" and requiring "immediate mitigation".

Javid, however, hid behind an ongoing legal case brought by the Liberty pressure group, aimed at getting the Investigatory Powers Act toughened up, as an excuse for not giving full details to Parliament. He only told MPs that "the compliance risks identified are limited to how material is treated after it has been obtained. They do not relate in any way to the manner in which MI5 acquires information in the first instance or the necessity and proportionality of doing so."

MI5's uses of the data that Britain's dragnet surveillance operations hoover up is audited after the event by the Investigatory Powers Commissioner's Office (IPCO). In its annual report for 2017/18, the last public report issued by IPCO, IPCO criticised MI5 for using "boilerplate text" in internal applications to spy on particular people and groups, suggesting that the spies weren't taking existing permissive laws seriously.

Lord Justice Fulford said in a statement: "I first became aware of the compliance risks identified by MI5 at an oral briefing meeting on 27 February 2019, and I immediately requested a comprehensive written description of all the matters that had then been outlined. This was provided on 11 March 2019."

He continued: "I am reassured that MI5 has taken immediate steps to introduce a series of mitigating actions in the light of that thorough review, and these actions – along with a programme of further measures that will be progressively implemented – provide sufficient reassurance that MI5's handling arrangements within the particular area of concern are now satisfactory as regards warranted material."

A team of IPCO investigators was sent into MI5 for a week to investigate the breach. There was no information from IPCO or Javid's statement suggesting that anyone was identified, caught, disciplined or charged with an offence as a result of the breach.

A lawyer for Liberty, Megan Goulding, said in a statement: "The breach in itself is deeply concerning but on top of that the way this has unfolded – with IPCO only finding out because MI5 reported it, and the wider public only knowing apparently because of our legal case – shows how fatally flawed the oversight system for security services is." ®


In pop culture, the answer to threats from a police worker is to say "get a warrant!" Taking this at face value, the UK merely has the Home and Foreign Secretaries (as ministers for domestic spy agency MI5 & GCHQ, and foreign spy agency MI6, respectively) sign so-called "thematic" warrants that authorise almost anything the spy agencies fancy doing, on a blanket, non-specific basis.

They've got a warrant. It's just not the type you wanted it to be.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

MI5: Gosh, awkward. We looked down the sofa and, yeah, we *do* have intel on privacy bods

Snoops cop to shady 'Workings' where data retention rules don't apply

MI5 man to steer GCHQ as Trump wiretapping saga continues

Jeremy 'easy to work with' Fleming is incoming

Ex-MI5 boss: People ask, why didn't you follow all these people ... on your radar?

Former spymaster Stella Rimington on cyber espionage, terrorism and more

UK terror law probe stresses 'safeguards' amid MI5 plot claims

Chief spy: Tech firms have ‘responsibility’ to share info

Court finds GCHQ and MI5 engaged in illegal bulk data collection

I don't believe it! The mad lads have only gone and won a legal case against the spooks!

Human-rights warriors crack on with legal challenge to UK's lax surveillance laws

Toughen it up and reduce all that warrantless state surveillance, demands Liberty

Don't assume public trusts you, MI5. 'Make a case' for surveillance – Former security chief

'Do you trust us... Snowden or ...the Islamic State'?

The NSA's own bastard operator from Hell, aka Edward Snowden, puts out memoir next month

Definitely going on his Permanent Record

Black Hat USA axes anti-abortion congressman as keynote speaker after outcry – and more news from infosec land

Roundup Your quick guide to hacks, patches and scandal

Schneier, Diffie, ex-MI5 bod, privacy advocates team up on Code Red

Project will fight intrusive surveillance


The Rise of Machine Learning (ML) in Cybersecurity

While many are guarding the front door with yesterday’s signature-based AV solutions, today’s malware walks out the back door with all their data.

Detecting cyber attacks as a small to medium business

If security by obscurity is no longer an option, and inaction is a risk in itself, what can smaller enterprises do to protect themselves? Endpoint Detection and Response (EDR) solutions can go a long way towards minimising the level of threat, but they need to be chosen and used in the right way.

Evolving Datacenters without Complexity

In this session, we’ll talk about how IT leaders are advancing the capabilities of their datacenters to rise to today’s challenges. Our guest speaker, Chris Bradford, Product Manager at DataStax will bring first-hand expertise to a discussion with The Register host Elena Perez.

Requirements-driven software development and quality management

A shift is underway in many development teams from traditional delivery models to Agile methods.