MoD loses most of the armed forces
Oh! what a lovely data loss
The Ministry of Defence and contractor EDS are frantically checking the bins this morning for a missing hard drive containing records of 100,000 servicemen and women and their families.
The case is worrying, even by this government's cretinous standards, because of potential targetting of people who worked in Northern Ireland or in more recent conflicts. The records also appear to contain enough information to create a fake identity.
The information included bank details and passport numbers of 100,000 servicemen and women. There was also information on 800,000 people who had applied to serve in the armed forces.
Why such a huge amount of data was stored on an unecrypted and portable drive has not been revealed.
The MoD sent us the following statement:“On Wednesday 8 October we were informed by our contractor EDS that they were unable to account for a portable hard drive used in connection with the administration of Armed Forces personnel data. This came to light during a priority audit EDS are conducting to comply with the Cabinet Office data handling review. The MOD Police are investigating with EDS.”
Much of the data of course will have already been lost by the MoD. Here's a quick reminder of how much information the department has lost this year, due to its failure to follow even the most basic data protection principles.
In January the MoD admitted losing a laptop with details of 600,000 applicants for the armed services. The data was unencrypted and the laptop, which was not password protected, was left in an empty car overnight.
In March it admitted losing 11,000 ID cards over the last two years.
In July it coughed to losing 87 storage devices containing classified material since 2003.
In September it was the turn of the RAF. It lost three hard disk drives containing information on all current and recently-ex members of the RAF - about 50,000 people.
Also in September it was an MoD staffer, on secondment to the Cabinet Office, who left two top secret intelligence documents on a train from Waterloo. We learnt yesterday that he is to be charged with offences under the Official Secrets Act. ®
And this is all we know.....
This is a public admission of data loss. This has only been cough'ed to because it has been investigated to death first and only at the very last moment when the decleration has to be made has it come out. This is bad enough but consider that vastly more data is processed and sent without any mention of it.
Consider the operators taking database dumps, minimum paid people, frequently contractors, frequently remote......na, they never copy the data.
Once outsourcing started this was always going to be the end game. We all need to get over it, if there is acomputer record on you, you can bank on the fact it has already been leaked or lost or copied. The only thing we are worrying about is the scale and distribution of our data.
I vote for a grave stone, cus this should make the proper end of EDS. If the governemnt let them carry on as their main outsource partner now they must be mad.
Key issues concerning the massive loss of data by British MoD.
I'd suggest there are a number of key issues to keep in mind when considering the massive loss of data by British MoD. Here's a few to begin with:
1. The data/security paradigm changes when data are moved from hard/paper copy to a machine-readable form. Most people still think of security and access in paper-based terms, not that of electronic data which is a very different animal. Had the records been stored on traditional paper-based record systems then there would have been no breach of security.
2. Data in electronic form acquires a range of new and powerful properties when compared with that of the same records stored on hardcopy/paper. For example, stealing 600,000 plus paper-based records would be nigh on impossible, but this electronic 'loss' is not even theft as far as we know--just incompetence and mishandling. Those handling or using this data do not understand this differences between the electronic data and hard copy paradigms (especially a problem in government bureaucracies). Ipso facto, if they did then this data security breach would not have happened. Unfortunately, this lack of understanding is not unique; even those in the data processing/security game have a very poorly understanding of the problem: for they usually concentrate on specific security issues and technicalities, not why or whether certain facts or information should or should not be committed to electronic storage, or what the implications are if the data falls into unwanted hands.
3. It is questionable whether certain forms of sensitive data should actually be transferred into an electronic format, especially if bound into fully collated databases (as here). If electronic records are absolutely essential then the data can be held in multiple parts in distributed databases--one part alone being useless without others. (The fact that this data is not secured and managed in such a way that its loss would be trivial ought to be of great concern. Computer science just hasn't evolved sufficiently to always guarantee security and simultaneously make it easy and foolproof to implement: only electronic encode that which is essential.)
4. Governments, control freaks and penny-pinching accountants etc.--those with a police state mentality--want all records conveniently to hand, often for very questionable reasons including very little practical justification or need. In this instance, not only have they collected and collated vast amounts of sensitive personal data and stored it in an easily 'losable' form but the very act of doing so is one of utter irresponsibility. The loss of such important data (and on such a grand scale) together with security systems that are so weak and in such disarray--to the extent that they permit such losses--has to be an act of malfeasance.
4.1 Essentially, what has happened here is that an act of treason has been committed against the 'collective of citizens' [who constitute part of the state]--those who gave their personal data on the understanding that their government would keep it secure but who failed though negligence, inter alia.
4.2 There's little doubt that this incident will be hushed up, and there will be an scapegoat or two or possibly not even that. Moreover, I'll bet it happens again sometime soon, remember this is not the first of such incidents. With Britain going to a universal ID card what would happen if Al-Qaeda or similar organization were to ever get such a file? Even a friendly power such as the USA would be only too happy to snap up such valuable data, no questions asked.
5. Whether relevant or not, Governments, bureaucrats and security services have a Nazi-like obsession in collecting vast amounts of data on citizens, and there is no obligation on those collecting it to even tell citizens that they are doing so let alone let the citizen see or review the data. Whether storing so much detail about citizens in vulnerable electronic format (such as in single but comprehensive databases) is warranted or not ought to be publicly debated, especially by those whose data it is. Again, this incident only highlights the privacy debate which isn't happening!
6. It's questionable whether sensitive data of this kind really needs to be fully collated in one location, but if it is then there should be no reason for it to ever move from that location (except to another of the same status/security for backup purposes).
7. There is NO need for any other person or entity to have this data, and--in human rights terms--NOR does anyone else have the right to the data (just on basic privacy grounds alone let alone other reasons). If contractors require data to test systems etc. then non-identifying aggregated data should be supplied. Duplicating such data without the full consent of the citizens involved should be seen as a breach of not only their privacy but also their human rights. Remember, these are no ordinary records, an enemy could use them to annihilate soldiers before they're engaged on a battlefield--the lost records could perhaps put the very security of the country at risk. Even if this loss is not a high risk then the modus operandi that let it happen will inevitably repeat itself sooner or later, and most likely when the stakes are higher.
8. Computers, through their vastly increasing processing capability, are availing governments with new and unprecedented powers by stealth, and we citizens need question and scrutinize them--if but for no other reason than our own safety. Surveillance and monitoring of the citizenry is at an all-time high and justified, as always, in the hoary old name of 'security'--an emotive word whose very use 'justifies' the excuse to quell any in-depth public debate on the subject.
8.1 This incident, and others similar, should never have been allowed to happen. Again, it proves beyond reasonable doubt that governments can and do act irresponsibly towards their citizens whilst knowing better; moreover, they continue to get away with it without necessary scrutiny and public accountability because we continue to let them do so.
Events such as this data 'loss' enable us the citizenry to gain a small insight into the creeping and inextricably increasing powers of governments and we should use every such opportunity to reign in these abuses. If we ignore them then we do so at our own peril.
In the interests of Democracy and good governance, when our governments act so deplorably it is the duty of we citizens to ensure that those responsible be held accountable, and we must insist the issues be widely and publicly debated, and not hidden and whitewashed in the name of security.
i would suggest
if the goverment/mod cant be assed encrypting there data i would suggest that they start buying secure pen drives ( like the iorn key with built in encryption/anti-tamper tech)
so even if the drive is misplaced the data will be safe.
it seems as though the mod/goverment will never learn from there mistakes and will cary on on there merry data loosing ways