A Ministry of Justice investigation has found that EDS lost track of data on prison staff a year before the breach was noticed.
Jack Straw, the justice minister, told parliament on Thursday that the HP subsidiary is to undergo an annual audit of its security, and pay for costs arising from the loss, including retraining.
The ministry's investigation into the data breach, which, when announced in September, was thought to affect 5,000 staff, has shown the hard drive contained "256 items of sensitive personal information" that had the potential to cause damage if leaked. The information included addresses, bank details, national insurance numbers and dates of birth.
"There remains no indication that this information has entered the public domain," Straw said in a written statement.
The investigation found the data had been downloaded to a hard drive as part of a data-recovery exercise in July 2007. The disc was not wiped before it was removed from the site. "Thereafter EDS failed to take adequate measures to track or record the location of the hard drive when it was transferred to another site," said Straw, despite a company policy to purge discs before their reuse.
"This did not comply with data-protection principles, and also meant that the investigation could not identify precisely when or where the hard drive went missing," he added. "The inadequacy of EDS's tracking systems meant that the data was not missed until 2 July, 2008."
EDS reported the loss to the National Offender Management Service (Noms) IT security team the day after, with a written report following on 4 July.
"The Noms IT security team did not take sufficient action following receipt of the interim report, with the result that senior officials and ministers were not aware of the loss until 6 September, when comprehensive and appropriate action was taken to identify and contact any staff involved and to investigate further the circumstances of the loss," said Straw. Noms is taking disciplinary action against some staff as a result.
EDS will undertake a number of measures to improve information security. It will undergo an annual independent audit of its compliance with security standards, with the requirement that it rectifies any areas found not to be compliant.
The firm will also pay for a series of improved security measures and will reimburse Noms for its expenses from the incident. This will include identifying and destroying all uncontrolled copies of Noms' sensitive data.
EDS will also pay security-training costs, both for its staff and those at Noms.
Talkback
This post has been removed by a moderator.