Stolen UK Ministry of Defence laptop affects up to 600,000
Technorati Tag: Security Breach
Date Reported:
1/18/08
Organization:
The United Kingdom of Great Britain and Northern Ireland (UK)
Contractor/Consultant/Branch:
Ministry of Defence (MoD)
Victims:
"people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force"
Number Affected:
600,000
Types of Data:
Names, addresses, telephone numbers, passport details, National Insurance numbers, drivers’ license details, family details, doctors’ addresses, National Health Service numbers, and banking details*
*Some records contained nothing more than a name, and others contained all of the information noted above. The information collected was dependent upon how far a military candidate went in the enlistment process.
Breach Description:
A laptop computer was stolen from the car of an officer of the UK Royal Navy. The laptop was not encrypted and contained sensitive personal information belonging to new and potential recruits to the Royal Marines, the Royal Navy and the Royal Air Force.
Reference URL:
The UK Ministry of Defence News Release
The Sunday Times Story online
PC World Story
Report Credit:
UK Ministry of Defence ("MoD")
Response:
From the online sources cited above:
The Ministry of Defence can confirm that a laptop was stolen from a Royal Navy officer in Birmingham last week, on the night of 9/10 January, and as a result, a large quantity of personal data has been lost.
The Royal Navy careers officer who lost the data is believed to have worked at a recruiting office in Birmingham. He is expected to be court-martialled.
[Evan] I believe that the person responsible should be held accountable, but I question whether or not this officer is ultimately responsible. Did the actions that led to this breach go against standard procedure? What is the standard procedure? Was the officer properly trained on standard procedure? Unfortunately, I am not optimistic that court-martialling this officer will do much to protect against future breaches. More is needed.
After consultation with West Midlands Police about the impact on the investigation were the theft to become public knowledge, we did not immediately make public the loss of this data. In view of today’s media reports, we have, however, decided that it would now be right to do so.
Although the theft of the laptop that contained the unencrypted data was reported to the police immediately, they said it was only “later” that they were told what was on it.
[Evan] Maybe the MoD didn't know what was on it. The fact that a laptop is used to access, create and/or store confidential data without encryption is inexcusable. This points to a bigger issue.
“I don't think they know what was on this", Liam Fox, shadow defence secretary
“There are a very large number of questions that will have to answered on Monday. This is either catastrophically lax procedure or this individual is very irresponsible.”, Liam Fox
[Evan] My vote is lax procedure and poor practice.
The stolen laptop contained personal information relating to some 600,000 people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force.
The information held is not the same for every individual. In some cases, for casual enquiries, the record is no more than a name. But, for those who progressed as far as submitting an application to join the Forces, extensive personal data may be held, including passport details, National Insurance numbers, drivers’ licence details, family details, doctors’ addresses and National Health Service numbers.
The computer did not have anything other than basic security systems, but once the thief had accessed the computer the data itself could be easily read.
The Ministry of Defence is treating the loss of this data with the utmost seriousness.
We are writing to some 3,500 people whose bank details were included on the database.
Action has already been taken with the assistance of APACS [Association for Payment Clearing Services] to inform the relevant banks so that the relevant accounts can be flagged for scrutiny against unauthorised access.
The Secretary of State will make a statement to Parliament at the earliest opportunity.
Information Commissioner Richard Thomas said he would be demanding answers from the MoD over the loss of the data and why it was unencrypted.
"We will require satisfactory answers from the MoD about their data protection practices and a firm assurance that steps have been taken to improve these practices before deciding on the appropriate action to take," Richard Thomas
Douglas Young, of the British Armed Forces Federation, said there had to be a “top level investigation” into the whole affair. "It really is very, very worrying and I'm deeply concerned to hear this.”
“This incident once again highlights the need for organisations to think long and hard about the data they allow employees to take off site on laptops and mobile devices,” Philip Wicks, Morse security consultancy
[Evan] Yep. I have a dream that someday organizations will wake up and get it.
“The MOD should definitely have policies and procedures in place that dictates what information can and can’t be taken off the premises. At a minimum they should make sure that personal and sensitive data on laptops is always encrypted.”, Philip Wicks
[Evan] Amen Philip.
Advice can be sought by emailing
We have also established a helpline for individuals to seek further advice. The number is 0800 0853600. This number will be open between 1000hrs and 1700hrs today (Saturday 19 January 2008), 0800hrs to 1700hrs on Sunday 20 January and 0700hrs to 1900hrs between Monday and Friday.
Reader Comments:
"The person in question should not be fired. He or she should be JAILED for life. Now that's what would make a great example and deter these funny civil servants from playing with fire.", Kate McCluskey UK
[Evan] People are getting fed up, and are saying enough is enough.
"Unfortunately, what all these data-loss incidents show is a completely cavalier attitude to data protection.
This is probably only the tip of the iceberg, as this latest case was leaked into the public domain, and would have been covered up otherwise.
That the Government should be trying to con us into placing all out vital information onto a central database, linked to an id card, doesn't bear thinking about. ", Daniel Fernandez, UK
Commentary:
A common theme in the news stories that I have read point the blame on the Navy officer. I don't doubt that he has some blame in this case, but I think the issue is much larger. There is very little mention about what MoD's policy and procedure is with regards to confidential personal information. If the Navy officer was following procedure or wasn't aware of the procedure, then the issues are much larger in scope and more difficult to address.
The MoD would benefit from encrypting all mobile devices whether they are used for confidential data storage or not.
Past Breaches:
Unknown
Date Reported:1/18/08
Organization:
The United Kingdom of Great Britain and Northern Ireland (UK)
Contractor/Consultant/Branch:
Ministry of Defence (MoD)
Victims:
"people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force"
Number Affected:
600,000
Types of Data:
Names, addresses, telephone numbers, passport details, National Insurance numbers, drivers’ license details, family details, doctors’ addresses, National Health Service numbers, and banking details*
*Some records contained nothing more than a name, and others contained all of the information noted above. The information collected was dependent upon how far a military candidate went in the enlistment process.
Breach Description:
A laptop computer was stolen from the car of an officer of the UK Royal Navy. The laptop was not encrypted and contained sensitive personal information belonging to new and potential recruits to the Royal Marines, the Royal Navy and the Royal Air Force.
Reference URL:
The UK Ministry of Defence News Release
The Sunday Times Story online
PC World Story
Report Credit:
UK Ministry of Defence ("MoD")
Response:
From the online sources cited above:
The Ministry of Defence can confirm that a laptop was stolen from a Royal Navy officer in Birmingham last week, on the night of 9/10 January, and as a result, a large quantity of personal data has been lost.
The Royal Navy careers officer who lost the data is believed to have worked at a recruiting office in Birmingham. He is expected to be court-martialled.
[Evan] I believe that the person responsible should be held accountable, but I question whether or not this officer is ultimately responsible. Did the actions that led to this breach go against standard procedure? What is the standard procedure? Was the officer properly trained on standard procedure? Unfortunately, I am not optimistic that court-martialling this officer will do much to protect against future breaches. More is needed.
After consultation with West Midlands Police about the impact on the investigation were the theft to become public knowledge, we did not immediately make public the loss of this data. In view of today’s media reports, we have, however, decided that it would now be right to do so.
Although the theft of the laptop that contained the unencrypted data was reported to the police immediately, they said it was only “later” that they were told what was on it.
[Evan] Maybe the MoD didn't know what was on it. The fact that a laptop is used to access, create and/or store confidential data without encryption is inexcusable. This points to a bigger issue.
“I don't think they know what was on this", Liam Fox, shadow defence secretary
“There are a very large number of questions that will have to answered on Monday. This is either catastrophically lax procedure or this individual is very irresponsible.”, Liam Fox
[Evan] My vote is lax procedure and poor practice.
The stolen laptop contained personal information relating to some 600,000 people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force.
The information held is not the same for every individual. In some cases, for casual enquiries, the record is no more than a name. But, for those who progressed as far as submitting an application to join the Forces, extensive personal data may be held, including passport details, National Insurance numbers, drivers’ licence details, family details, doctors’ addresses and National Health Service numbers.
The computer did not have anything other than basic security systems, but once the thief had accessed the computer the data itself could be easily read.
The Ministry of Defence is treating the loss of this data with the utmost seriousness.
We are writing to some 3,500 people whose bank details were included on the database.
Action has already been taken with the assistance of APACS [Association for Payment Clearing Services] to inform the relevant banks so that the relevant accounts can be flagged for scrutiny against unauthorised access.
The Secretary of State will make a statement to Parliament at the earliest opportunity.
Information Commissioner Richard Thomas said he would be demanding answers from the MoD over the loss of the data and why it was unencrypted.
"We will require satisfactory answers from the MoD about their data protection practices and a firm assurance that steps have been taken to improve these practices before deciding on the appropriate action to take," Richard Thomas
Douglas Young, of the British Armed Forces Federation, said there had to be a “top level investigation” into the whole affair. "It really is very, very worrying and I'm deeply concerned to hear this.”
“This incident once again highlights the need for organisations to think long and hard about the data they allow employees to take off site on laptops and mobile devices,” Philip Wicks, Morse security consultancy
[Evan] Yep. I have a dream that someday organizations will wake up and get it.
“The MOD should definitely have policies and procedures in place that dictates what information can and can’t be taken off the premises. At a minimum they should make sure that personal and sensitive data on laptops is always encrypted.”, Philip Wicks
[Evan] Amen Philip.
Advice can be sought by emailing
We have also established a helpline for individuals to seek further advice. The number is 0800 0853600. This number will be open between 1000hrs and 1700hrs today (Saturday 19 January 2008), 0800hrs to 1700hrs on Sunday 20 January and 0700hrs to 1900hrs between Monday and Friday.
Reader Comments:
"The person in question should not be fired. He or she should be JAILED for life. Now that's what would make a great example and deter these funny civil servants from playing with fire.", Kate McCluskey UK
[Evan] People are getting fed up, and are saying enough is enough.
"Unfortunately, what all these data-loss incidents show is a completely cavalier attitude to data protection.
This is probably only the tip of the iceberg, as this latest case was leaked into the public domain, and would have been covered up otherwise.
That the Government should be trying to con us into placing all out vital information onto a central database, linked to an id card, doesn't bear thinking about. ", Daniel Fernandez, UK
Commentary:
A common theme in the news stories that I have read point the blame on the Navy officer. I don't doubt that he has some blame in this case, but I think the issue is much larger. There is very little mention about what MoD's policy and procedure is with regards to confidential personal information. If the Navy officer was following procedure or wasn't aware of the procedure, then the issues are much larger in scope and more difficult to address.
The MoD would benefit from encrypting all mobile devices whether they are used for confidential data storage or not.
Past Breaches:
Unknown
Posts Atom 1.0
Comments