A judge's emails were automatically forwarded to a malicious account in Nigeria, HM Courts & Tribunals Service revealed today. It is one of five personal data-related incidents listed in HMCTS's annual report that were reported to the Information Commissioner's Office (ICO), the data regulator.

The report states that, on 20 September 2018, HMCTS Digital uncovered a breach of the eJudiciary system. 'A rule had been added to the judge's email account which meant all emails received by the judge were automatically forwarded to a malicious email account with an IP address in Nigeria,' it says. One person was potentially affected. Explaining the notification steps taken, the report says: 'Withdrawn by HMCTS as the incident and data controller was the Judicial Office'.

A Ministry of Justice spokesperson told the Gazette: 'This was an isolated incident on one email address, and likely a result of a scam. Our security is kept under constant review and steps have been taken to prevent this from happening again, including reminding email users about such scams.'

The ICO decided not to take action after HMCTS disclosed sensitive information to someone requesting information relating to a neighbour's previous convictions.

The incident occurred on 13 March. The report says: 'A junior member of staff responded via email that the data subject had been convicted on 3 May 2002 but that such conviction was now spent since May 2007. The nature of the offence was neither confirmed or denied. However, the implied confirmation may have re-enforced the enquirer's view that offences of this nature were involved. This was a breach of the Rehabilitation of Offenders Act 1974.'

The ICO was notified on 29 March. The report says: 'The ICO closed its investigation taking no action noting incident that while the ICO recognises the extreme sensitivity of the information disclosed and the possibilities for detriment, it is not considered to be significant in this instance.'

On 1 May 2018, an application for an adoption hearing was mistakenly disclosed to the birth mother, which contained the adoptees' names and addresses. Two people were potentially affected. The ICO took no action 'noting that the incident was due to human error'.

The ICO again took no action when, on 30 July 2018, a bag of paperwork and driving licences was lost in transit by a courier company. Around 260 people were potentially affected. The data was found and had been incorrectly delivered to another HMCTS business unit. 

On 12 June 2018, HMCTS issued two court notices to an incorrect address. The report says: 'Both court notices contained name, date of birth, account/case references of the data subject. The first document also contained details of the offence. The offence was "distributing an indecent photograph or pseudo-photograph of a child". One person was potentially affected. The incident was dealt with through the formal HMCTS complaints process.'