UK Ministry of Defence, EDS lose sensitive portable drive
Technorati Tag: Security Breach
Date Reported:
10/10/08
Organization:
The United Kingdom of Great Britain and Northern Ireland (UK)
Contractor/Consultant/Branch:
Ministry of Defence (MoD)
EDS Corporation
Location:
Hook, Hampshire (UK)
Victims:
Members of the UK armed forces as well as "people interested in joining up"
Number Affected:
"up to 1.7million"
Types of Data:
Name, address, telephone number, and in some cases "personal information such as next of kin details, passport and national insurance numbers, drivers' licence and bank details and national health service numbers"
Breach Description:
"The personal details of up to 1.7million army recruits are feared missing after a government IT contractor reported losing a removable computer hard drive.
Electronic Data Systems, which is contracted to work on a Ministry of Defence recruitment system, discovered the loss when auditing its storage media last week."
Reference URL:
The Times (UK)
ComputerWeekly
Independent Television News
Telegraph Media Group
PC Pro
Contractor UK
Report Credit:
Richard Kerbaj, The Times (UK), also shared with The Breach Blog by an informed reader.
Response:
From the online sources cited above:
The Ministry of Defence has admitted that the hard drive lost by EDS contained far more personal information than originally suspected.
[Evan] Another breach concerning the UK, concerning the MoD, and concerning EDS. Three strikes. What do you do when the government, the military, and an IT services contractor (with an information security practice) in concert cannot protect sensitive information?
private details of 100,000 members of Army, Royal Navy and RAF personnel, of all ranks, had gone missing from the premises of contractor EDS in Hook, Hampshire.
Defence minister Bob Ainsworth has admitted that the portable drive might also have "at worst" also contained the details of another 1.7 million individuals who had made enquiries about joining the Armed Forces.
"For casual enquiries this will include no more than a name and contact details, but for those who applied to join the forces more extensive personal data may be held," he said.
for those serving personnel whose details were lost, the hard drive also held their next of kin details, passport and National Insurance numbers, drivers' licence and bank details and National Health Service numbers
Ainsworth claimed the data loss was unearthed during an EDS audit, conducted as part of the Cabinet Office's data handling review.
The loss of the drive was discovered last Wednesday and reported by EDS on the same day.
1TB portable hard drive
[Evan] Who would have thought that information on a portable drive would actually be portable? Easy to lose and easy to steal. A person can get a 1TB mobile drive with hardware encryption and biometric (fingerprint) access/authorization for less than $300. We have three of these and use them all of the time. Hmmm.
it's not known when the drive disappeared
Mr Ainsworth said: "[This] illustrates the need continually to review and enhance our arrangements for personal data."
[Evan] Yes it does. Maybe you've listened to what good information security professionals have been saying for years and you already do this.
Ainsworth also admitted that it was unlikely that the drive itself would have been encrypted, as it was being held at a secure location.
[Evan] This is a poor excuse. A defense-in-depth approach (a common information security concept) would have given the forethought to take into account physical compromise. Remember, it's only $300.
The Ministry of Defence initially feared it had lost the details of 100, 000 members of the armed forces, as well as the names and phone numbers for 800, 000 people interested in joining up.
Speaking to PC Pro at the time of the incident, an EDS spokesperson claimed: "It's not lost - there's a subtle difference. It could be at the back of someone's filing cabinet."
[Evan] Huh? If you cannot find something, isn't it lost?
Sir Robert Fry, head of EDS Defence, has said that a portable hard drive which went missing had not needed to be encrypted under Ministry of Defence procedures because it was held in secure premises.
[Evan] Really? This is lazy. It's like, "We weren't required to protect the data, so we didn't."
"The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defence work, when it sits inside a secure site."
Fry said he was unable to rule out the malicious use of any data on the missing drive. But he said that "if it was intended for any malicious purpose, we would have had some indication that that was the case before now".
[Evan] I take it that Sir Fry is not an information security professional.
"I have really got to stress the fact that this [the place from which the drive went missing] is a secure environment. It is protected to all the levels specified by the Ministry of Defence in physical, electronic and virtual terms." (Sir Fry)
John Hutton, the new Defence Secretary, was said to be "spitting mad'' when he heard about the situation.
Liberal Democrat defence spokesman Nick Harvey said: "This data loss is an absolute scandal and on a far larger scale than previously feared.
"In the past soldiers have been targeted by extremists. One dreads to think what might happen if this information were to fall into the wrong hands.
[Evan] This is a good point and I didn't even think about this. This breach has the potential to put soldiers and their families at an increased risk of physical harm. What kind of excuse do you make for this?
"It is yet another unwelcome burden for our servicemen and women to worry about, at a time when they are already under great pressure because of overstretch.
"It beggars belief that the Government cannot competently manage such a basic task. There must be an urgent inquiry into how this happened."
[Evan] I think I know what "beggars belief" means, but it sounds funny. Englishmen talk funny.
The MoD is investigating the loss
The Ministry of Defence police had now set up a telephone help-line for anyone affected by the incident, while the Association for Payment Clearing Services was monitoring bank accounts for any "unauthorised access".
The Ministry of Defence said in a statement that the hard drive may yet turn up at another secure site.
[Evan] Let's hope to God that it does and let's also hope they start encrypting sensitive information in transit AND at rest.
Commentary:
What do you say about this that hasn't already been said? It seems like big changes are needed in people, process and technology.
Past Breaches:
Ministry of Defence (MoD):
January, 2008 - Stolen UK Ministry of Defence laptop affects up to 600,000
EDS Corporation:
August, 2007 - Former Electronic Data Systems Employee Charged with Identity Theft of 498
December, 2007 - TRICARE breach affects 4,700 households
January, 2008 - Wisconsin Dept. of Health and Family Services mails Social Security numbers
September, 2008 - UK prison officer information on lost contractor hard drive
Date Reported:10/10/08
Organization:
The United Kingdom of Great Britain and Northern Ireland (UK)
Contractor/Consultant/Branch:
Ministry of Defence (MoD)
EDS Corporation
Location:
Hook, Hampshire (UK)
Victims:
Members of the UK armed forces as well as "people interested in joining up"
Number Affected:
"up to 1.7million"
Types of Data:
Name, address, telephone number, and in some cases "personal information such as next of kin details, passport and national insurance numbers, drivers' licence and bank details and national health service numbers"
Breach Description:
"The personal details of up to 1.7million army recruits are feared missing after a government IT contractor reported losing a removable computer hard drive.
Electronic Data Systems, which is contracted to work on a Ministry of Defence recruitment system, discovered the loss when auditing its storage media last week."
Reference URL:
The Times (UK)
ComputerWeekly
Independent Television News
Telegraph Media Group
PC Pro
Contractor UK
Report Credit:
Richard Kerbaj, The Times (UK), also shared with The Breach Blog by an informed reader.
Response:
From the online sources cited above:
The Ministry of Defence has admitted that the hard drive lost by EDS contained far more personal information than originally suspected.
[Evan] Another breach concerning the UK, concerning the MoD, and concerning EDS. Three strikes. What do you do when the government, the military, and an IT services contractor (with an information security practice) in concert cannot protect sensitive information?
private details of 100,000 members of Army, Royal Navy and RAF personnel, of all ranks, had gone missing from the premises of contractor EDS in Hook, Hampshire.
Defence minister Bob Ainsworth has admitted that the portable drive might also have "at worst" also contained the details of another 1.7 million individuals who had made enquiries about joining the Armed Forces.
"For casual enquiries this will include no more than a name and contact details, but for those who applied to join the forces more extensive personal data may be held," he said.
for those serving personnel whose details were lost, the hard drive also held their next of kin details, passport and National Insurance numbers, drivers' licence and bank details and National Health Service numbers
Ainsworth claimed the data loss was unearthed during an EDS audit, conducted as part of the Cabinet Office's data handling review.
The loss of the drive was discovered last Wednesday and reported by EDS on the same day.
1TB portable hard drive
[Evan] Who would have thought that information on a portable drive would actually be portable? Easy to lose and easy to steal. A person can get a 1TB mobile drive with hardware encryption and biometric (fingerprint) access/authorization for less than $300. We have three of these and use them all of the time. Hmmm.
it's not known when the drive disappeared
Mr Ainsworth said: "[This] illustrates the need continually to review and enhance our arrangements for personal data."
[Evan] Yes it does. Maybe you've listened to what good information security professionals have been saying for years and you already do this.
Ainsworth also admitted that it was unlikely that the drive itself would have been encrypted, as it was being held at a secure location.
[Evan] This is a poor excuse. A defense-in-depth approach (a common information security concept) would have given the forethought to take into account physical compromise. Remember, it's only $300.
The Ministry of Defence initially feared it had lost the details of 100, 000 members of the armed forces, as well as the names and phone numbers for 800, 000 people interested in joining up.
Speaking to PC Pro at the time of the incident, an EDS spokesperson claimed: "It's not lost - there's a subtle difference. It could be at the back of someone's filing cabinet."
[Evan] Huh? If you cannot find something, isn't it lost?
Sir Robert Fry, head of EDS Defence, has said that a portable hard drive which went missing had not needed to be encrypted under Ministry of Defence procedures because it was held in secure premises.
[Evan] Really? This is lazy. It's like, "We weren't required to protect the data, so we didn't."
"The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defence work, when it sits inside a secure site."
Fry said he was unable to rule out the malicious use of any data on the missing drive. But he said that "if it was intended for any malicious purpose, we would have had some indication that that was the case before now".
[Evan] I take it that Sir Fry is not an information security professional.
"I have really got to stress the fact that this [the place from which the drive went missing] is a secure environment. It is protected to all the levels specified by the Ministry of Defence in physical, electronic and virtual terms." (Sir Fry)
John Hutton, the new Defence Secretary, was said to be "spitting mad'' when he heard about the situation.
Liberal Democrat defence spokesman Nick Harvey said: "This data loss is an absolute scandal and on a far larger scale than previously feared.
"In the past soldiers have been targeted by extremists. One dreads to think what might happen if this information were to fall into the wrong hands.
[Evan] This is a good point and I didn't even think about this. This breach has the potential to put soldiers and their families at an increased risk of physical harm. What kind of excuse do you make for this?
"It is yet another unwelcome burden for our servicemen and women to worry about, at a time when they are already under great pressure because of overstretch.
"It beggars belief that the Government cannot competently manage such a basic task. There must be an urgent inquiry into how this happened."
[Evan] I think I know what "beggars belief" means, but it sounds funny. Englishmen talk funny.
The MoD is investigating the loss
The Ministry of Defence police had now set up a telephone help-line for anyone affected by the incident, while the Association for Payment Clearing Services was monitoring bank accounts for any "unauthorised access".
The Ministry of Defence said in a statement that the hard drive may yet turn up at another secure site.
[Evan] Let's hope to God that it does and let's also hope they start encrypting sensitive information in transit AND at rest.
Commentary:
What do you say about this that hasn't already been said? It seems like big changes are needed in people, process and technology.
Past Breaches:
Ministry of Defence (MoD):
January, 2008 - Stolen UK Ministry of Defence laptop affects up to 600,000
EDS Corporation:
August, 2007 - Former Electronic Data Systems Employee Charged with Identity Theft of 498
December, 2007 - TRICARE breach affects 4,700 households
January, 2008 - Wisconsin Dept. of Health and Family Services mails Social Security numbers
September, 2008 - UK prison officer information on lost contractor hard drive
Posted by Evan Francen at 10/16/2008 7:32 PM 
Categories: Electronic Data Systems, UK Ministry of Defence, Lost Device
Categories: Electronic Data Systems, UK Ministry of Defence, Lost Device
Posts Atom 1.0
Comments