Sir Robert Fry, head of EDS Defence, has said that a portable hard drive which went missing had not needed to be encrypted under Ministry of Defence procedures because it was held in secure premises.
Some in the IT industry may be surprised that portable MoD data does not require encryption if it is held in secure premises.
Fry said he was unable to rule out the malicious use of any data on the missing drive. But he said that “if it was intended for any malicious purpose, we would have had some indication that that was the case before now”.
He was being questioned on BBC Radio 5’s “Drive” programme, which included an interview with Computer Weekly. The presenter Anita Anand asked Fry: how secure was the hard drive?
“The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defence work, when it sits inside a secure site.”
The loss of the drive was discovered last Wednesday and reported by EDS on the same day. But it’s not known when the drive disappeared. The Ministry of Defence said in a statement that the hard drive may yet turn up at another secure site. It conceded that the personal information of members of the armed forces might have been “compromised” by the loss of data on the drive.
The 1TB portable hard drive went missing from a secure EDS site at Hook in Surrey.
MPs have criticised the loss of the hard drive, saying that a culture change is needed to prevent personal data going missing.
This is a transcript of an interview between Sir Robert Fry and Anita Anand on Friday 10 October 2008. Fry, KCB, CBE, was formerly Commandant General Royal Marines. He was a deputy commander in charge of a multinational force in Iraq and was Director of Operations at the MoD. He joined EDS in 2007 as vice president of EDS (UK) Defence Services. He is now Vice President of EDS and Managing Director, EDS Defence
Anand [Radio 5]: The [missing] hard drive may include names, addresses, passport numbers, dates of birth and driving licence details of about 100,000 employees. That’s about half of the armed forces. The lost drive belonged to EDS, the MoD’s main IT contractor. Sir Rob Fry is managing director of EDS [Defence] in the UK. A little earlier I asked him whether he knew exactly when that hard drive went missing?
Fry [EDS Defence]: No. What we have is an electronic profile which shows that the last time that it was actively used was some time ago. We then discovered, because we had been going through the complete inventory of all our data storage devices, that we were unable to account for it two days ago.
Anand: It was last used a long time ago. Conceivably it could have gone missing a long time ago? Conceivably that information could be in somebody’s hands for an awfully long time?
Fry: I cannot altogether rule that out. But if that was the case, and it was intended for any malicious purpose, we would have had some indication that that was the case before now. I have really got to stress the fact that this [the place from which the drive went missing] is a secure environment. It is protected to all the levels specified by the Ministry of Defence in physical, electronic and virtual terms.
Anand: So it is absolutely encrypted, it is bomb-proof, nobody can get into it?
Fry: I am talking about the offices themselves, the secure environment itself.
Anand: What about the hard drive itself? How secure is that?
Fry: The hard drive was not encrypted but neither did it need to be, in terms of the protocols to which we and the Ministry of Defence work, when it sits inside a secure site.
Anand: Clearly it’s not inside that secure site and now it’s vulnerable to being opened by anyone because it’s not encrypted?
Fry: That’s potentially true. But I think we need to go through the process of establishing precisely where this – I really need to make the point that once we were aware of this, we notified the Ministry of Defence straight away. We are still going through the procedures that might yet locate this.
Anand: So what is the information on this unencrypted hard drive, that people could get access to, should they want to?
Fry: It is possible that it contains private details of serving service personnel.
Anand: “Private details like what? Names, addresses, phone numbers, bank details? That doesn’t tell us much.
Fry: Names, addresses and personal details. In some cases there could be other personal data stored on them as well.
Anand: Let me fill in the gaps. Passport numbers perhaps?
Fry: In some cases but not right the way through.
Anand: Bank details?
Fry: The easiest way that I can answer this is to say that we need to go through a process of forensic testing and we need to do this in cooperation with the Ministry of Defence. Until such time as we have done that, and then we can give some definitive statements on this. What [otherwise] I would be giving you would be entirely speculative answers.
Anand: If you have procedures aimed to prevent precisely this kind of thing from happening, then how did it happen? Were procedures not followed?
Fry: That’s what we are in the process of investigating at the present time – we and also the Ministry of Defence and the Ministry of Defence police.
Our interview with MoD over missing EDS hard drive – IT Projects Blog, October 2008
Missing MoD/EDS hard drive – my comment [IT Projects blog]
MoD hard drive lost – Computer Weekly
British military investigates loss of hard drive – New York Times
New data loss at UK Ministry of Defence – Sydney Morning Herald
MoD data fiasco – UK lockdown blog
Database debacles – The Arch blog
What again? – Signs of the times blog