British MoD Stunned By Massive Data Loss

Master of Transhuman writes "Seems like nobody can keep their data under wraps these days. On the heels of the World Bank piece about massive penetrations of their servers, the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel in the British armed forces, and perhaps another 600,000 applicants. This comes on the heels of the MoD losing 658 of its laptops over the past four years and 26 flash drives holding confidential information. Apparently the MoD outsources this stuff to EDS, which is under fire for not being able to confirm that the data was or was not encrypted."

No, no, no

[gowen]

the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel

No. EDS lost a hard-drive, belonging to the MoD. Had to get that in before the "Government is intrinsically incompetent" posse got here. EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.

Re:No, no, no

[gowen]

Fuck Labour.

What? Do you really believe a politician made the decision on whom to outsource data management too?
Are you familiar with the concept of a civil service at all? Do you know who runs the day-to-day operations for the MoD?

Clue: Decisions like "Which subcontractor should we hire" are not made by the Secretary of State for Defence.

Re:No, no, no

[CountBrass]

And who decided that EDS were competent to manage the MoD's data? That would be the MoD i.e. the government. So it is the Government that is intrinsically incompetent: they have a history of either handing over vast amounts of private data to untrustworthy companies (EDS, PA Consulting, Capgemini) or of losing it themselves (HMRC, Home Office, SIS).

In law under the Data Protection Act the MoD, not EDS, are the Data Controller and therefore responsible for losing it.

News from MOD

[auric_dude]

Update from MOD http://www.mod.uk/DefenceInternet/DefenceNews/DefencePolicyAndBusiness/ModIssuesUpdateOnMissingEdsHardDisk.htm

Re:Are they really being lost?

Business travellers in the US and Europe lose a staggering 15,648 laptops per week, according to a new study by Dell.

So one shouldn't be surprised that laptops go missing, if the study is anything like accurate.

Government Incompetence?

[BenEnglishAtHome]

Isn't that the definition of a government?

Not really. Where I work, any laptop connected to the network is checked at every connection for the presence of active full disk encryption software. If it isn't found (which can happen when computers are being built and the encryption installation hasn't been completed) then an immediate alert is sent to the support staff nearest the machine. In response to that alert, the machine must be encrypted or seized immediately. We're talking same-day action, here, with the consequence of inaction being that someone gets fired.

The result is that when we lose (usually through theft but the method is unimportant in this context) a laptop, we can immediately report that said laptop was fully encrypted and no data was lost or is at risk.

If we need to let a contractor on our network, we set up one of our laptops to meet all security requirements and lend that hardware to the contractor. No contractor is allowed to put their machine on our network.

Finally, when data is written to removable media, it's encrypted. We run a software package (Guardian Edge) that forces all writes to removable media to be encrypted. It's a pain sometimes, but it's the least we can do to keep the publics private data safe.

Frankly, I'm shocked that the MOD would accept less stringent practices on the part of contractors. I know we don't.