The UK military admitted on a television program (Who’s Watching You, BBC2) this Monday(25th May) that they had lost a large amount of highly sensitive information which could potentially exposes high-ranking service men and women to bribery, extortion, compromise, identity theft and fraud to name but a few possible outcomes.
The British Royal Air Force reported the loss of three unencrypted computer hard drives back in September of 2008. At the time though, they ‘only’ reported that the home addresses and banking details of 50,000 service personnel were contained on the disks.
Subsequent to a Freedom of Information request an internal memo has surfaced which drastically ups the stakes for those affected.
The memo said:
“This information included details of criminal convictions, investigations, precise details of debt, medical conditions, drug abuse, use of prostitutes, extra-marital affairs including the names of third parties.
“The data is not routine vetting information, but relates to those cases that have been referred to RAF because the individuals have serious vulnerabilities that affect their suitability to obtain/retain a security clearance.
“This data provides an excellent target list for foreign intelligence services, investigative journalists and blackmailers.”
Worryingly it seems that the scope of the data breach has been concealed not only from the general public, but also from government and from the Information Commissioner who is responsible for overseeing the safekeeping of personal data by organisations both commercial and state.
In a somewhat ironic statement, the Telegraph reported that the Ministry of Defence had said
“The information was taken from individuals during the vetting process to ensure that people “can be trusted with sensitive government information and property”
The fact that this amount and level of sensitive data was both unencrypted and subsequently lost astounds me. I often hear the Ministry of Defence being held up as an example of an organisation that leads the way in data security. This event represents a catasrophic failure in procedure that could have far-reaching consequences on the personal and family lives of thousands of service personnel.
The “Data Handling Procedures in Government” report from June 2008 mandates
“Obligatory use of protective measures (such as encryption and penetration testing) and controls (for example on use of mobile devices or on access to records). These will protect all personal data, while recognising that some data require a greater degree of protection than others.”
We can only hope that the drives in question are recovered in short order (which now seems unlikely) or otherwise remain undiscovered for good, as the nature of the data lost ensures that these drives represent a highly valuable resource, not just for organised crime but also to international espionage, and that they will be actively sought out.