Column

Another day, another embarrassing data loss

Ron Condon, UK Bureau Chief
Now things are different. Everyone – and I mean everyone from home PC users to stand-up comedians – know the story of the lost CDs at HM Revenue and Customs last December, and they know the value of stolen personal details. So anyone getting their hands on a stolen laptop these days is not going to let it go for £50, at least not without first looking at what it contains.

Now last weekend, we hear that an officer from the Royal Navy had a laptop stolen from the back of his car. The machine in question held data on 600,000 people who have applied to join the armed forces, and the personal details apparently included National Insurance numbers, medical details and the bank details of around 3,500 people.

The theft took place in Birmingham on the night of January 9 and what happened after that still has to be made clear. The official story is that the MoD reported the theft to West Midlands police, who advised against making it public. A week later, news of the theft leaked out and the MoD issued a statement saying it was treating the situation "with the utmost seriousness" and was writing to the 3,500 people whose bank details had been lost.

This particular database has special value to some people. It contains details of everyone who has shown an interest in joining the armed forces over the last 10 years. The most recent records would have contained the details of those recently registered in the latest recruitment drive in West Midlands, an area with a large Muslim population.

As we know, Muslims in the armed forces have been targeted in the past by terrorists and treated as traitors to Islam. So the stakes are high. To make things worse, early reports say the data on the laptop was not encrypted, and therefore open to scrutiny by the thief and his mates when they boot up down at the King's Arms.

This latest data loss beggars belief at all levels. Why did someone need all 600,000 records on their machine? Why weren't they encrypted? Why did it take a week for MoD to come clean and start writing to potential victims?

The delay is unforgivable, and shows that the MoD still equates secrecy with security, where in this case they are precisely the opposite. As long as the theft stayed secret, the longer the thieves had to find a suitable buyer for their haul. They didn't need to read it in the paper to know that what they had was of value. For all we know – and I pray this is not the case – the personal details could already be with identity thieves, or worse, religious extremists.

The MoD will try to do all it can to manage this affair internally, but any such attempt should be resisted. Like the rest of industry, they have to show they can be trusted to look after information properly.

The Government has tried to sound tough. According to PA, Cabinet Secretary Sir Gus O'Donnell in an email Monday night (Jan 21) to all Department senior managers: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises. Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

Facing Parliament, Defence Secretary Des Browne admitted that another laptop containing much the same data had been stolen back in 2006. You really couldn't make this up.

If the MoD and Government want to repair the damage done to their credibility, they have to spell out their policies and make sure they have cast-iron procedures for enforcing them. And we need to see people punished for their lack of care – not just the junior officer at the centre of the latest row, but his bosses who allowed it to happen, and then tried to keep it quiet.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy