Slashdot Mirror

← Back to Stories (view on slashdot.org)

British MoD Stunned By Massive Data Loss

Posted by timothy on from the austin-powers-meets-the-peter-principle dept.

Master of Transhuman writes "Seems like nobody can keep their data under wraps these days. On the heels of the World Bank piece about massive penetrations of their servers, the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel in the British armed forces, and perhaps another 600,000 applicants. This comes on the heels of the MoD losing 658 of its laptops over the past four years and 26 flash drives holding confidential information. Apparently the MoD outsources this stuff to EDS, which is under fire for not being able to confirm that the data was or was not encrypted."

29 of 166 comments (clear)

  1. No, no, no by gowen · · Score: 5, Informative

    the British Ministry of Defense has lost a hard drive with the personal details of 100,000 serving personnel

    No. EDS lost a hard-drive, belonging to the MoD. Had to get that in before the "Government is intrinsically incompetent" posse got here. EDS, a privately owned and run subsidiary of Hewlett-Packard, subcontracting to the MoD, were responsible for the security of this drive, and they, not anyone at the MoD did the losing here.

    --
    Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    1. Re:No, no, no by drsquare · · Score: 3, Insightful

      What exactly is the MoD doing sending out sensitive data to foreign private contractors? In fact, why are they giving anyone data at all?

      Fuck Labour.

    2. Re:No, no, no by gowen · · Score: 3, Informative

      this is the umpteenth time the UK gov't has lost data.

      Are you reading impaired, or just an idiot?

      No member of -- or person directly employed by -- the UK Government lost this data. EDS, a long-established, privately owned subsidiary of Hewlett Packard, lost this data.

      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    3. Re:No, no, no by gowen · · Score: 4, Informative

      Fuck Labour.

      What? Do you really believe a politician made the decision on whom to outsource data management too?
      Are you familiar with the concept of a civil service at all? Do you know who runs the day-to-day operations for the MoD?

      Clue: Decisions like "Which subcontractor should we hire" are not made by the Secretary of State for Defence.

      --
      Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
    4. Re:No, no, no by Zsub · · Score: 4, Insightful

      Are you just an idiot?

      How does the fact that this company loses the gov'ts data not imply that the gov't loses data? Please tell me if this logic is flawed...

      And does it actually matter who loses the data? I mean, I don't live there, I can't be arsed, it's not my private information but the whole point of my post was that the UK gov't loses data. Who exactly magically makes the disks or flashdrives disappear is besides the point.

    5. Re:No, no, no by cyber-vandal · · Score: 4, Insightful

      But the overuse of external subcontractors is a political decision. Fuck New Labour and fuck the Tories who started it all.

    6. Re:No, no, no by hdparm · · Score: 4, Insightful

      Why are you so apologetic on behalf of the British government? The drive was the responsibility of MoD. This includes the choice of people and/or organisations who do the handling. Likewise, even if the EDS was not the minister's choice, he should have been sacked because he hasn't made the decisions of this magnitude his choice.

    7. Re:No, no, no by CountBrass · · Score: 5, Informative

      And who decided that EDS were competent to manage the MoD's data? That would be the MoD i.e. the government. So it is the Government that is intrinsically incompetent: they have a history of either handing over vast amounts of private data to untrustworthy companies (EDS, PA Consulting, Capgemini) or of losing it themselves (HMRC, Home Office, SIS).

      In law under the Data Protection Act the MoD, not EDS, are the Data Controller and therefore responsible for losing it.

      --
      Bad analogies are like waxing a monkey with a rainbow.
    8. Re:No, no, no by SoupIsGoodFood_42 · · Score: 3, Informative

      Fuck Labour.

      Yeah, because they are the ones who are more likely to out source work to a private company, right? Last time I checked, parties like Labour generally prefer that the government did it themselves, even if it costs more, and it's the opposition who are the ones who like to out source and privatise things.

    9. Re:No, no, no by jeremyp · · Score: 3, Interesting

      EDS has been responsible for quite a number of screwed up Government IT projects in the UK. Somebody at the MoD was responsible for giving the data to that incompetent shower.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    10. Re:No, no, no by pjt33 · · Score: 3, Informative

      Check again. Labour has changed since the 1980s.

    11. Re:No, no, no by Gordonjcp · · Score: 3, Interesting

      EDS used to have a facility in Livingston (basically right in the middle of Scotland) where they printed welfare cheques (photos of the abandoned plant here). This closed down when they went to paying by BACS or similar. Anyway, according to a couple of people I know who were hired by contractors to clear all the media and computers from the site, there were quite a few highly unsavoury types handling not just storage devices and backup tapes, but also paper records while the building was being cleared. No background checking, nothing.
      What utter fucktards.
      (incidentally, posting this showed up an oddity of the URL parser - if the URL wraps so there's a space between 'href="' and 'http" then it breaks, big time.)

  2. I can! by matt4077 · · Score: 5, Funny

    I can confirm that the data was or was not encrypted.

    --
    Fleur de Sel
  3. this is the reason why... by MoFoQ · · Score: 3, Funny

    this is the reason why the brits have to spy more....'cuz it's about quantity.....if u have more data coming in.....than that is going out (aka losing)...then u'r golden.

    (I don't think it's a coincidence that this was posted after the bit about the brits needing to spy more)

  4. Re:Hardly 3 hours by Goldberg's+Pants · · Score: 4, Insightful

    They want to spy more so they can gather more information to lose.

    Seriously, lately it seems not a week goes by without some ridiculous data leak in the UK. Whether it be thumbdrives that automatically log into private networks, laptops being stolen, documents being left on a train, confidential information being lost in the post etc...

    They won't need the Data Protection Act much longer in the UK because there'll be no data left to protect as it'll all have been leaked.

  5. News from MOD by auric_dude · · Score: 5, Informative

    Update from MOD http://www.mod.uk/DefenceInternet/DefenceNews/DefencePolicyAndBusiness/ModIssuesUpdateOnMissingEdsHardDisk.htm

  6. Are they really being lost? by argiedot · · Score: 4, Interesting

    The only time I have ever lost a device is when I was mugged and my phones were taken from me and I'm just any other person.

    It should be interesting to see what the ratio of laptops lost to all laptops provided is. Maybe this cynicism is because I live in India where corruption is rampant and entire flyovers can be 'lost', but I'm a bit suspicious about this whole thing.

    Also, if they're losing laptops with information at such a high rate, at what rate are they losing paper files? Surely it's harder to keep track of the 20 binders with 100 sheets in them than it is to keep track of one hard drive?

    I find it hard to believe that these people are really that incompetent. Hanlon's Razor doesn't always apply.

    1. Re:Are they really being lost? by Anonymous Coward · · Score: 4, Informative

      Business travellers in the US and Europe lose a staggering 15,648 laptops per week, according to a new study by Dell.

      So one shouldn't be surprised that laptops go missing, if the study is anything like accurate.

    2. Re:Are they really being lost? by somersault · · Score: 3, Interesting

      It was standard practice for our head of accounting to take our backup tapes home for a few years. This year I saw some of our tapes just lying out in plain view on the passenger seat of his car, so I politely showed him a couple of stories about data loss when tapes were stolen from cars, and have been taking the tapes home myself now..

      --
      which is totally what she said
  7. Re:Hardly 3 hours by Dr.+Hellno · · Score: 4, Insightful

    "I'm just looking forward to when the data gets lost."

    From the summary of that post. 3 hours ago.

    ...Holy Crap.

    We know they're abusing their power. We know that they're incompetent!
    And it never changes! It just happens again and again and again!
    I don't know whether to laugh or cry or scream or kill or just give up anymore. I just don't know.

  8. Yet another example... by Firefalcon · · Score: 4, Interesting

    ...of why we shouldn't be outsourcing critical/sensitive data handling. Yes, Government departments can cock-up enough without external help, but so many of these data loss issues at the moment seem to be the fault of a private company they've outsourced to.

    Also, I worry about the outsourcing of anything relating to our Country's security. When you give the job to the lowest bidder, what can you expect but a barely adequate service?

  9. Re:Combine this with the immediately preceding sto by houghi · · Score: 3, Funny

    Information wants to be free.

    --
    Don't fight for your country, if your country does not fight for you.
  10. Re:Encrypted or not? HAH! by leenks · · Score: 3, Insightful

    His point was that if someone wants the data, eg they actively stole the hard drive, then they are likely to steal or obtain the mechanism to decrypt the data too.

  11. Government Incompetence? by BenEnglishAtHome · · Score: 5, Informative

    Isn't that the definition of a government?

    Not really. Where I work, any laptop connected to the network is checked at every connection for the presence of active full disk encryption software. If it isn't found (which can happen when computers are being built and the encryption installation hasn't been completed) then an immediate alert is sent to the support staff nearest the machine. In response to that alert, the machine must be encrypted or seized immediately. We're talking same-day action, here, with the consequence of inaction being that someone gets fired.

    The result is that when we lose (usually through theft but the method is unimportant in this context) a laptop, we can immediately report that said laptop was fully encrypted and no data was lost or is at risk.

    If we need to let a contractor on our network, we set up one of our laptops to meet all security requirements and lend that hardware to the contractor. No contractor is allowed to put their machine on our network.

    Finally, when data is written to removable media, it's encrypted. We run a software package (Guardian Edge) that forces all writes to removable media to be encrypted. It's a pain sometimes, but it's the least we can do to keep the publics private data safe.

    Frankly, I'm shocked that the MOD would accept less stringent practices on the part of contractors. I know we don't.

    1. Re:Government Incompetence? by lysergic.acid · · Score: 4, Insightful

      there's no inherent reason for the government to be incompetent. but it's always those who want to cut down on public infrastructure and social welfare programs that are incompetent themselves. of course when you elect such people into government they make a complete mess of things and use their own incompetence as an excuse to hand these roles over to the private sector.

      i mean, how can you put people who don't believe in public infrastructure in charge of public infrastructure? it's a self-fulfilling prophecy.

    2. Re:Government Incompetence? by BenEnglishAtHome · · Score: 4, Interesting

      what kind of tricky stuff are you doing to detect full-disk encryption on any machine that touches the network?

      I don't know. I'm on the receiving end of those alerts, so I know they happen. Exactly how, I'm not sure. Our logon scripts do all sorts of stuff, including automatically installing updates to vertical apps, so checking for full disk encryption wouldn't seem to be too hard a task. I know there are certain files on the machines that do not exist until encryption has been installed and fully enabled. I assume that looking for them would be trivial. But that's just a guess.

      To show you how tight our scans are, we had a contractor who plugged a personally-owned USB key into his IRS-issued laptop. It contained some basic maintenance tools as well as some network monitoring tools. He wanted some simple utility, I forget which one, and instead of asking for it through channels he just plugged in his copy. Literally *5* minutes after he plugged in the key, his machine was deleted from the domain and his personal identifier was wiped from all systems, just like we do when someone is fired. 5 minutes after that, his boss got a call from our security office explaining that the employee was being reviewed for termination. The boss explained that he was a good guy, new to the organization, just made a mistake, and asked for some slack. Ultimately, the guy got a two-week suspension and then had to re-build everything (system access permissions, etc.) as if he were newly hired.

      I really don't question the notion that our monitoring does a good job of catching any funny business.

      And more importantly (assuming that this requires a boot-time password; I've never bothered with any serious encryption), do you have something that detects the sticky note on the bottom of the laptop with said password?

      This is one of the areas where we take a notably sensible approach. Our security rules that each person must sign and obey do NOT prohibit writing down passwords. It's officially discouraged but not prohibited. We take the attitude that as long as that list is protected, like people protect their ID card, door key card, and credit card, there's no problem.

      Nobody puts a sticker on the bottom of their laptop or keyboard. We have constant security inspections, usually after hours, and doing crap like that gets you disciplined severely.

      I wont go into excess detail (which, by itself, would be a violation of our security rules) but suffice it to say that if you wanted to steal and get data off an IRS laptop, you'd have to mug the user, get their password list, know their internal ID (which no one writes down because we use it constantly) then mug a different person with local machine administrator credentials, get logons and passwords from that person, then know exactly where to type all of them in without making more than three mistakes to lock up the machine.

      The only people who could successfully get information off our laptops would be our admins. But we can get to that stuff internally, already, so that's not a realistic threat.

      Realistically, the only thing a thief can do with a stolen IRS laptop is wipe it, install an OS, and use it.

  12. Re:Hardly 3 hours by gbjbaanb · · Score: 4, Funny

    or they're just moving to a more distributed data system, they want to spy on you so they can see the data you now hold. Its like a bittorrent data-storage solution, all these 'lost' laptops and pendrives is a secret mechanism of distributing the data in the most widely and random way - thus adding to the security of the overall system, as no-one else knows where its ended up.

    See, its simple really :-)

  13. Contains everything you need for perfect ID theft by gilgongo · · Score: 3, Informative

    From TFA:

    "The portable drive contains the names, addresses, passport numbers, dates of birth and driving licence details of around 100,000 serving personnel across the Army, Royal Navy and RAF, plus their next-of-kin details. "

    Wow. Just... wow.

    The person who finds this and wants to exploit it would become unimaginably rich on stolen identities for pretty much the rest of their lives. I suppose if the MoD have a record of exactly who's details were on the disk, they could re-issue things like national insurance numbers and driving licences to prevent that, but even then the possibilities for other avenues of exploitation using this information would be huge (next of kin, for pity's sake!!).

    Data like this needs to be treated as if it were nuclear waste or a volatile explosive mixture. It would be just about OK to have a list of 100,000 driving licence numbers if these were kept physically separate from, say, names and addresses (eg keying them on a one-time ID), but when certain classes of data are kept TOGETHER like this, it should be every right-thinking person's reaction to scream the house down in panic.

    We have to assume that at some point, all data will leak out somewhere. All we can do is to to ensure than when it does, it's not actionable. Oh, and by the way - you can forget encryption. People don't understand it and in most cases those who steal data will steal or otherwise obtain the keys as well.

    --
    "And the meaning of words; when they cease to function; when will it start worrying you?"
  14. MOD PARENT UP by BenEnglishAtHome · · Score: 3, Insightful

    This:

    how can you put people who don't believe in public infrastructure in charge of public infrastructure?

    is one of the best questions I've ever seen posted on Slashdot. With an election looming, it's a question that every voter should ask themselves. Whoever modded it flamebait is a dufus.