The Ministry of Defence appears to have been infiltrated by Data Traitors:
MOD confirms loss of recruitment data
The Ministry of Defence can confirm that a laptop was stolen from a Royal Navy officer in Birmingham last week, on the night of 9/10 January, and as a result, a large quantity of personal data has been lost.
The stolen laptop contained personal information relating to some 600,000 people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force
The information held is not the same for every individual. In some cases, for casual enquiries, the record is no more than a name. But, for those who progressed as far as submitting an application to join the Forces, extensive personal data may be held, including passport details, National Insurance numbers, drivers' licence details, family details, doctors' addresses and National Health Service numbers.
The Ministry of Defence is treating the loss of this data with the utmost seriousness. We are writing to some 3,500 people whose bank details were included on the database. Action has already been taken with the assistance of APACS [Association for Payment Clearing Services] to inform the relevant banks so that the relevant accounts can be flagged for scrutiny against unauthorised access.
Given all the recent publicity over the still not yet resolved HMRC data privacy and security scandal, there is no possible excuse of ignorance for the Ministry of Defence generally, and their Recruitment bureaucracy in particular, to have allowed this latest data security breach, involving a stolen laptop computer, which, for no good reason, contained over 600,000 people's records.
These are not just random members of the public, they are people who have expressed some interest, or who have actually supplied extensive personal details, as part of the process of being recruited into our Military frontline and support forces.
After all the HMRC and other recent data security and privacy breach publicity, this incident cannot be the result of ignorance.
There must be some malice involved, an actual betrayal of trust and national security which potentially puts people's lives at risk i.e. the people responsible are Data Traitors
Have they been bribed or coerced, or are they working to deliberately put such data at risk, for ideological reasons ? Is this the work of Al Quaeda or Taliban sympathisers, or of Russian or Chinese spies ?
This is not the first time that MOD laptop computers have been lost or stolen:
Written answers Wednesday, 22 June 2005
Lynne Featherstone (Hornsey & Wood Green, Liberal Democrat) |
To ask the Secretary of State for Defence how many laptop computers have been used by (a) Ministers, (b) special advisers and (c) officials in his Department in each year since 1995; how many have been (i) lost and (ii) stolen in that period; what the cost was of the use of laptops in that period; and if he will make a statement
Adam Ingram (Minister of State (Armed Forces), Ministry of Defence)
The approximate number currently in use (covering laptops purchased in the last four years and held by both MOD civilians and Service personnel) is estimated to be in the order of 46,000 at an overall cost of £69 million.
75 laptop computers belonging to the Ministry of Defence (including the armed forces) are recorded as having been lost and 590 as having been stolen since 1995.
The Ministry of Defence is alert to the vulnerabilities of laptops and security policy and procedures are continually being reviewed and revised to introduce measures to reduce the numbers of laptops stolen or lost, and to mitigate the impact when losses occur.
Why then, has this current data security scandal happened ? Will any senior Sir Humphrey's take the blame and resign ?
Following the HMRC scandal late last year, the interim report by Robert Hannigan, the newly appointed Cabinet Office Head of Intelligence, Security and Resilience:- Data Handling Procedures in Government: Interim Progress Report (.pdf 999Kb - only 14 pages) has a short section by the Ministry of Defence, claiming that all is well:
32. The Ministry of Defence has reassessed its policies and procedures in light of the incident with HMRC data, and is taking forward work to ensure that bulk data transfers are better protected and will make more explicit the need for early involvement of Data Protection Act specialists. MoD is seeking to achieve the same consistency in assessing the sensitivity of non-operational data in terms of impact level and classification as it routinely does with operational and research-based systems.
See our previous blog article: Poynter and Hannigan review reports fail to reassure anyone about UK Government data security and privacy issues - final reports delayed until after the May 2008 Local Elections ?
The MOD spokesweasels claim that
The Ministry of Defence is treating the loss of this data with the utmost seriousness.
If that was true, then either the junior Minister of State for the Armed Forces Bob Ainsworth or, preferably, the useless Des "Swiss Tony" Browne, the part time Secretary of State for Scotland (and also for Defence) would already have resigned from office, but they Labour Ministers have no sense of honour or duty, and will, on past performance, attempt to shift the blame onto their junior staff.
The MOD press release tries to divert public attention from just how serious this data breach is, by playing up the relatively minor potential bank fraud aspects of this scandal, something which the mainstream media are swallowing, and regurgitating:
We are writing to some 3,500 people whose bank details were included on the database
How about physically re-locating the families of the people whose lives this breach puts at risk ?
It would not surprise us, if, just like the HMRC scandal, the Ministry of Defence letters actually contain the bank account details of the the people they are warning.
Note that there does not seem to be any actual public apology for this scandal.
The national security implications for the personal safety of members of the armed forces and their families, outweighs any public interest in a criminal prosecution of opportunist thieves, if that turns out to be who have stolen the laptop computer.
Remember, thatAbu Bakr Mansha was convicted under the controversial Terrorism Act 2000 section 58 Collection of information, and was sentenced to 6 years in prison, for the possession of just one, out of date, home address of a serving soldier.
We think that this stolen laptop data would be of enormous practical value in aiding terrorist attacks and espionage by foreign intelligence agencies.
Members of the armed forces, or their families, or the patriotic people who were simply considering a Military career, now face potential physical attacks or postal, telephone or email threats and harassment, if this data gets into the wrong hands.
What should be done about this scandal ?
The media, opposition politicians and the general public should demand:
- An immediate, substantial monetary cash reward for the safe return of the missing computer, "no questions asked". This should be offered now, not in a month's time, when the trail has gone even colder.
As with the missing HMRC CDs, Spy Blog, is willing, to offer a little help (but not, unfortunately, any cash) , to act as a proxy cut-out, between anyone with with information about the whereabouts of these missing items (CDs or laptops computers). In the unlikely event that anyone with such knowledge wishes to contact the authorities, or even the mainstream media, then they can contact us via email or via the comments on this blog, anonymously.
They might find our Hints and Tips for Whistleblowers suggestions to be of some use, in preserving their anonymity if they do try to contact us or the media or the authorities with information or the actual laptop.
The offer of any such Reward should not make it any more likely that MOD or Military laptop computers will be deliberately stolen for their data, rather than just for their intrinsic value as laptop computers by opportunist thieves, if the next point is implemented at once.
- An immediate confiscation of all laptop computers in the Ministry of Defence , and ideally throughout Whitehall, which are not yet running UK Government approved strong , whole disk encryption.
The technology to do this has been available for several years. The former UK Government developed hard disk encryption product called Kilgetty used to use the UK Government developed Red Pike algorithm and Government issued key material, but now it uses commercially available AES encryption algorithm based software.
It would cost less to upgrade the existing and stock of unencrypted laptop computers, than has already been wasted on Police and Customs resources in searching for the missing HMRC CDs and for this stolen laptop computer (over a million pounds already, and counting)
- Prosecutions under the Official Secrets Act . The UK Government Protective Marking level for data records, should normally be increased by a level or two, if they are collected together in one place, in vast numbers. Even if an individual record was only classified at the lowest level of Restricted, surely 600,000 of them together would justify a level of Confidential, or, since these involve Military personnel, the next level up of Secret ? Handing over so much Confidential or Secret data, without encryption, to someone who takes it out of a secure building, should merit prosecution of everyone involved, under the Official Secrets Act 1989 section 8 Safeguarding of information
or if he fails to take such care to prevent the unauthorised disclosure of the document or article as a person in his position may reasonably be expected to take.
- Disciplinary action, including Courts Martial, for negligence and breach of duty, not just against the Naval Officer who is alleged by the media to have left the laptop computer in a car overnight in Birmingham, but also, crucially, of his superiors, who have somehow allowed 600,000 records to be downloaded onto a laptop computer in the first place.
Nobody can read or make sense of that amount of data. If it was being used for statistical or even mailshot purposes, it had no business being on an unencrypted laptop computer exposed outside of a secure building.
If the Ministry of Defence cannot be trusted to keep sensitive personal recruitment details of their own staff and of potential recruits, safe and secure, then why should the Public trust the even less competent Home Office, to keep the National Identity Register centralised biometric database safe ?
Please support the support the NO2ID Campaign - "a single-issue group focussed on the threat to liberty and privacy posed by the rapid growth of the database state"