British MoD Stunned By Massive Data Loss

Master of Transhuman writes "Seems like nobody can keep their data under wraps these days. On the heels of the World Bank piece about massive penetrations of their servers, the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel in the British armed forces, and perhaps another 600,000 applicants. This comes on the heels of the MoD losing 658 of its laptops over the past four years and 26 flash drives holding confidential information. Apparently the MoD outsources this stuff to EDS, which is under fire for not being able to confirm that the data was or was not encrypted."

No, no, no

[gowen]

the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel

No. EDS lost a hard-drive, belonging to the MoD. Had to get that in before the "Government is intrinsically incompetent" posse got here. EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.

Re:No, no, no

[gowen]

this is the umpteenth time the UK gov't has lost data.

Are you reading impaired, or just an idiot?

No member of -- or person directly employed by -- the UK Government lost this data. EDS, a long-established, privately owned subsidiary of Hewlett Packard, lost this data.

Re:No, no, no

[gowen]

Fuck Labour.

What? Do you really believe a politician made the decision on whom to outsource data management too?
Are you familiar with the concept of a civil service at all? Do you know who runs the day-to-day operations for the MoD?

Clue: Decisions like "Which subcontractor should we hire" are not made by the Secretary of State for Defence.

Re:No, no, no

[gowen]

EDS has been around since 1962. To quote Wikipedia:

EDS's largest clients include General Motors, Bank of America, Arcandor, Kraft, United States Navy, the UK Ministry of Defence and the Royal Dutch Shell.

But, hey, if an anonymous coward says they're an "incompetent company", that's good enough for me. I stand corrected.

Re:No, no, no

[CountBrass]

And who decided that EDS were competent to manage the MoD's data? That would be the MoD i.e. the government. So it is the Government that is intrinsically incompetent: they have a history of either handing over vast amounts of private data to untrustworthy companies (EDS, PA Consulting, Capgemini) or of losing it themselves (HMRC, Home Office, SIS).

In law under the Data Protection Act the MoD, not EDS, are the Data Controller and therefore responsible for losing it.

Re:No, no, no

[SoupIsGoodFood_42]

Fuck Labour.

Yeah, because they are the ones who are more likely to out source work to a private company, right? Last time I checked, parties like Labour generally prefer that the government did it themselves, even if it costs more, and it's the opposition who are the ones who like to out source and privatise things.

Re:No, no, no

[captain_dope_pants]

EDS are regularly in a UK magazine called Private Eye - usually for being useless or money grabbing or somehow winding up with yet another Govt contract when their track record isn't that good.

Re:No, no, no

[pjt33]

Check again. Labour has changed since the 1980s.

News from MOD

[auric_dude]

Update from MOD http://www.mod.uk/DefenceInternet/DefenceNews/DefencePolicyAndBusiness/ModIssuesUpdateOnMissingEdsHardDisk.htm

Re:Are they really being lost?

Business travellers in the US and Europe lose a staggering 15,648 laptops per week, according to a new study by Dell.

So one shouldn't be surprised that laptops go missing, if the study is anything like accurate.

Government Incompetence?

[BenEnglishAtHome]

Isn't that the definition of a government?

Not really. Where I work, any laptop connected to the network is checked at every connection for the presence of active full disk encryption software. If it isn't found (which can happen when computers are being built and the encryption installation hasn't been completed) then an immediate alert is sent to the support staff nearest the machine. In response to that alert, the machine must be encrypted or seized immediately. We're talking same-day action, here, with the consequence of inaction being that someone gets fired.

The result is that when we lose (usually through theft but the method is unimportant in this context) a laptop, we can immediately report that said laptop was fully encrypted and no data was lost or is at risk.

If we need to let a contractor on our network, we set up one of our laptops to meet all security requirements and lend that hardware to the contractor. No contractor is allowed to put their machine on our network.

Finally, when data is written to removable media, it's encrypted. We run a software package (Guardian Edge) that forces all writes to removable media to be encrypted. It's a pain sometimes, but it's the least we can do to keep the publics private data safe.

Frankly, I'm shocked that the MOD would accept less stringent practices on the part of contractors. I know we don't.

Re:Government Incompetence?

[Skuldo]

The UK Skynet has been around since at least 1969.

Re:Government Incompetence?

[BenEnglishAtHome]

your IT Security people that they can just disable the USB drivers

We'd have to quell a revolt. Some of our people have repeated needs to move multi-gig data files from place to place. USB sticks have been a godsend. Given that some of our offices have such poor connectivity to the rest of the world, large file transfers used to require overnight or longer planning. Just moving a file from cube to manager's office for review could take hours. Now that they can sneakernet or mail a USB stick to move a big file, turning off that capability would have them hunting for our scalps.

Contains everything you need for perfect ID theft

[gilgongo]

From TFA:

"The portable drive contains the names, addresses, passport numbers, dates of birth and driving licence details of around 100,000 serving personnel across the Army, Royal Navy and RAF, plus their next-of-kin details. "

Wow. Just... wow.

The person who finds this and wants to exploit it would become unimaginably rich on stolen identities for pretty much the rest of their lives. I suppose if the MoD have a record of exactly who's details were on the disk, they could re-issue things like national insurance numbers and driving licences to prevent that, but even then the possibilities for other avenues of exploitation using this information would be huge (next of kin, for pity's sake!!).

Data like this needs to be treated as if it were nuclear waste or a volatile explosive mixture. It would be just about OK to have a list of 100,000 driving licence numbers if these were kept physically separate from, say, names and addresses (eg keying them on a one-time ID), but when certain classes of data are kept TOGETHER like this, it should be every right-thinking person's reaction to scream the house down in panic.

We have to assume that at some point, all data will leak out somewhere. All we can do is to to ensure than when it does, it's not actionable. Oh, and by the way - you can forget encryption. People don't understand it and in most cases those who steal data will steal or otherwise obtain the keys as well.