14 DAY TRIAL // The UK Ministry of Defence (MoD) has to deal with yet another sensitive information data leak incident. According to the Daily Mail, three portable storage devices containing the personal information of up to 50,000 retired and active military personnel have been stolen from the RAF Innsworth base in Gloucestershire.
The hard drives were stolen from the Service Personnel and Veterans Agency offices and the information is believed to consist of appraisal records. Such records can include a person's name, service number, address, birth date, where they served, what promotions they got and why, as well as what medals they were awarded. According to a spokesman, only two of the drives actually contained sensitive information and there is no clear indication that the theft targeted the stored data in particular. “Two of the drives are believed to have contained potentially sensitive personal data relating to personnel who served in the Royal Air Force in recent years; the third hard drive did not contain any personal data. The theft of these hard drives from a secure location, where they were subject to physical protection standards consistent with the Data Handling Review, is being treated with great seriousness,” said the MoD spokesman. He confirmed that “an investigation is being conducted by the MOD Police, with the support of Gloucestershire Police into the apparent theft”.
This incident not only poses a great security risk if the information gets in the hands of identity thieves, but could also be a loss from a historical perspective. According to Tony Mason, a now retired Air Vice Marshall who was in command of all personnel records and promotions at RAF Innsworth until 1989, records dating back to 1918 used to be stored there. He commented for This is Gloucestershire that, in his opinion, "the loss is acutely embarrassing” and that “this is an astonishing lapse in security”.
Former Shadow Minister for Defence Mark Harper noted that "this breach of security is yet another example of the Government's inability to protect the personal data of our citizens,” while Shadow Defence Secretary Nick Harvey pointed out that “'this is just the latest in a seemingly endless stream of stories involving personal information being lost or stolen”.
According to official statements, 658 laptop computers belonging to the MoD have been stolen in the recent four years, out of which only 32 have been recovered. In addition, 26 MoD memory sticks containing sensitive information were lost or stolen this year alone. Some other MoD related data leak incidents that we previously reported include the loss of personal information of 100,000 UK convicted criminals by government contracted firm PA Consulting or the loss of records on 25 million people by the HMRC, the British department responsible for tax collecting.
Sophos' Senior Technology Consultant, Graham Cluley, pointed out that “there is no mention of whether the data on the drives was encrypted or not,” which makes for a very pertinent observation. “In my view it would have been extremely appropriate to mention that in the MOD statement, as if proper encryption had been used then at least services staff would have some comfort that it would be very difficult for crooks to get up to shenanigans with the data,” he added.