Serious Farce Office: SFO suffers biggest-ever criminal data breach

Documents, tapes and data files from BAE Systems investigation go astray as agency blames ‘human error’
  • @TheIndyBusiness

The Serious Fraud Office is engulfed by a new scandal after it admitted that thousands of pages of evidence as well as tapes and data files from 58 separate sources were sent back to the wrong owner.

The enormous volume of evidence related to its long-running corruption investigation into defence giant BAE Systems which finally ended in 2010 with the company agreeing to pay almost £300m in the US and UK.

The data constituted fully 3 per cent of the total evidence accumulated as part of the case, and included 32,000 document pages and 81 audio tapes in addition to electronic media.

Frantic efforts were underway to contact the sources of that evidence and other people who might be affected by the leak, which occurred between May and October last year.

The Independent understands that the information was leaked to an unnamed individual, rather than an organisation.

At the end of a case the agency said it was “under an obligation” to return material gathered from sources if that was requested. But thanks to what was described as “human error” and “poor systems and processes” far more was returned to that individual than should have been.

The SFO insisted nothing that could breach “national security” was included, but even though 98 per cent of the material has been returned, a proportion of the information has still not been recovered although some of it was destroyed by the recipient.

The SFO’s director, David Green, has drafted in Peter Mason, a former director of security for Parliament, to conduct a review of the case.

A second “wide-ranging review” of all the organisation’s business processes has also been instigated under Alan Woods, a former senior civil servant.

The senior information risk owner who had oversight of the unit responsible for the material is known to have left the SFO at the end of 2012, one of a string of departures the agency has been grappling with.

But disciplinary action in response to the breach has not been ruled out after the reviews have been completed.

The SFO’s future has been under question for some time, but it was granted a stay of execution under Mr Green, albeit with a sharply reduced budget of just £32m.

By contrast, the Financial Services Authority – which deals only with the City as opposed the whole of corporate Britain – has an enforcement budget of more than twice that size.

The latest imbroglio comes just months after a three-year inquiry into the property tycoon Tchenguiz brothers ended in failure, days after  Mr Green announced a new, hard-line stance and revised terms of business. The brothers have since embarked on a £300m lawsuit against the SFO, which has endured a string  of setbacks.

These include the October 2012 scrapping of a three-year investigation into the collapse of Icelandic bank Kaupthing because of a lack of sufficient evidence to continue.

Meanwhile, 2008 saw the abandonment of the agency’s biggest prosecution to date, which related to alleged price fixing in the drug market. That investigation could have cost the taxpayer as much as £40m.

More recently, Richard Alderman, Mr Green’s predecessor, was accused by MPs of “a disregard for the proper use of taxpayers’ money” in agreeing payoffs worth around £1m for three former senior staff members without the proper approvals.

A spokesman for the SFO said: “Any loss of data is a serious matter and the SFO has taken action to ensure no further material can be wrongly sent out.”

In a statement, BAE Systems said: “We were concerned to hear of this unfortunate incident but understand it has now been dealt with by the relevant authorities.

“Ultimately, this is a matter for the SFO and as far as BAE Systems is concerned it is now closed.”

The SFO said that as a result of  Mr Mason’s review of the affair “continuing ownership of the data in a concluded case” would be assigned to designated operational staff.

The agency will also redraft the responsibilities of the current senior information risk owner and “raise the profile of data handling as a key risk in the SFO’s business”.

Timeline: The SFO and BAE

2004 Serious Fraud Office opens inquiry into BAE and its massive Al-Yamamah oil-for-arms deal with Saudi Arabia.  

2004 BAE confirms SFO and Ministry of Defence are looking at allegations it paid ‘backhanders’ to Tanzania for a £28m military air traffic control system.

2006 SFO drops inquiry into Saudi  after Government “representations” about national security.

2007 BAE payments in a South African arms come under scrutiny.

2007 A deal by BAE-Saab to sell Gripen fighters to the Czechs is investigated.

2010 BAE agrees to pay $400m (£257m) to US over the sale of fighters to Saudi Arabia and Eastern Europe and reaches £30m settlement with SFO over its Tanzanian accounting.