MoD coughs to laptop triple whammy
'We lost three unencrypted laptops, not one'
Updated: Defence minister Des Browne has admitted that the Ministry of Defence (MoD) has lost not one, but three laptops containing unencrypted information since 2005.
Last week, it emerged that the MoD had lost a laptop containing the personal details of 600,000 people who had expressed an interest in joining the armed services.
The laptop was stolen from a junior Naval officer, who had left the machine in a car parked overnight in Edgbaston, Birmingham. West Midlands police are investigating the theft.
An internal MoD investigation has already uncovered the other two losses.
The latest government humiliation is particularly disturbing because of the obvious security risk. Browne said last night he was well aware of the potential danger, especially for forces serving in Northern Ireland.
The MoD will now write to 3,700 people whose bank details were on the laptop and to the 153,000 people who applied to join the Royal Navy, the Royal Marines, and the Royal Air Force. Their records contained much more information including passport details, National Insurance numbers, driving licence details, and doctors' addresses.
Information Commissioner Richard Thomas said: "The volume of information in this case is significant and I am concerned about the sensitivity of some of the information contained on the laptop and the fact it pertains to military personnel. But this is not just about security. We will need to know why so much information on so many people was held on a laptop and whether any of it had been retained for too long."
Des Browne also announced yet another independent review of MoD data practises to be headed up by Sir Edmund Burton.
Talking to Parliament yesterday, Browne said: "It is not clear to me why recruiting officers routinely carry with them information on such a large number of people or why the database retains this information at all."
Ministers were told of the theft on 11 January, but believed at the time that the data was encrypted. They were told it was not encrypted on 14 January, and later told the Information Commissioner and police. The Association for Payment Clearing Services was also informed.
By 18 January all other MoD laptops were recalled and secured.
The Royal Navy has completed its own internal investigation and is considering what action to take against the junior officer.
The data was not encrypted, in breach of MOD rules, and the failure of procedure and compliance was not found by the government-wide review of security policies we were promised after the loss of 25 million private records by Her Majesty's Revenue and Customs in October.
Des Browne told Parliament yesterday: "The level of encryption used by the Ministry of Defence on its computers is stronger than that used for commercial applications and our IT authorities judge that a significant amount of time, resources, and particular expertise would be needed to access the data in a readable format."
Which would be reassuring if the MoD had in fact encrypted the data.
We asked the MoD what this super, if under-used, form of encryption was. It's promised to get back to us if it can comment without giving away too much information.
The MoD sent us the following statement: "We will not go into detail about our security specifications. Whilst the encryption algorithms used within our approved products may be the same as those used by industry, the implementation of the encryption mechanism within these specific products has been assessed such that its strength is considered suitable for the protection of MoD data. We judge that generally speaking the strength of these mechanisms is higher than typically required for commercial use." ®