A Ministry of Defence official says it is investigating with its contractor EDS whether a 1TB portable hard drive, which went missing from EDS’s secure offices at Hook, Surrey, had an unencrypted download of the MoD’s “TAFMIS” training and recruitment database.
When I put it to an MoD official that such are the security and audit mechanisms that nobody seems to know whether a large government database has been downloaded onto a portable hard drive which later went missing, the MoD official replied:
“We are vulnerable to that criticism, it would be fair to say.”
The Mod is custodian for tens of millions of data records, according to an inquiry into a separate MoD data loss earlier this year.
In a statement on the latest incident, the MoD said it’s possible that some of those serving in the armed forces “may have been compromised.”
The MoD statement said:
“There is no indication that the data, if indeed it has fallen into unauthorised hands, has been exploited maliciously in any way; but it is possible that personal information on anyone serving or who has served in recent years in the Armed Forces may have been compromised.”
The Training Administration and Financial Management Information System (TAFMIS) system stores personal information on people who have applied to work in the armed services and includes those who have already joined.
TAFMIS records, for example, those who are registered at Mod training premises and have applied to join the armed forces through MoD-owned town-centre recruiting offices.
In April 2008 a report by Sir Edmund Burton, on a separate incident involving a loss of information from the TAFMIS database, highlighted systemic weaknesses – what the report called “departmental failings” – in the MoD’s oversight of sensitive data on armed forces personnel.
On 9 January 2008 a TAFMIS laptop containing the unencrypted personal records of about 600,000 recruits or potential recruits, was stolen from a Royal Navy recruiter’s parked car. Two weeks later the Cabinet Secretary ordered a halt to the movement of unencrypted laptops and removable media.
The Burton report said:
“There is no evidence to confirm that the data protection aspects arising from the Royal Navy/RAF requirement for a substantial database available for use on a laptop, had been formally addressed either by the service sponsors or by the contractor.”
The report added:
“Information risk is not being formally managed at executive boards across the department, with a small number of exceptions. This constitutes a significant risk to the Department’s operational effectiveness, resilience and reputation … outside MoD HQ, with a few notable exceptions, there is very limited understanding of the Department’s obligations under the Data Protection Act.”
It’s unclear whether the latest incident – the loss of the hard drive from EDS’s offices – happened before or after the tightening of security in the wake of the Burton report.
It’s also unclear whether there were any constraints on what data could be downloaded from TAFMIS onto a portable hard drive. An Mod official said that the department owns the data and EDS runs the TAFMIS hardware.
The missing hard drive was first reported in The Sun – and was not mentioned by the MoD until after the story appeared.
Liam Fox, the Conservative’s shadow defence secretary, said: “For very obvious personal and national security reasons the MoD must ensure that it handles the records of our Armed Forces personnel with the highest care.”
EDS said in a statement: “We have been unable to account for a removable hard drive that was held in a secure location at our facility in Hook … There is no evidence that security at the site has been breached.”
A transcript of an interview between the BBC and Sir Robert Fry, Managing Director of EDS Defence is published on the IT Projects blog separately.
A transcript of my interview with an MoD official is below:
Does the MoD know for certain whether there is any information on the missing hard drive?
MoD: “That is part of our investigation. We have never said there was any information. The hard drive was part of a system [TAFMIS] which records details of people who have expressed an interest in, or have joined, the armed forces. We don’t know what, if any, information from the [TAFMIS] data is on that hard drive.
“Because TAFMIS is a rolling system, some of the people who are on TAFMIS as having applied to join the armed will inevitably have joined. To suggest that some of the people on TAFMIS are now serving is not inaccurate. In terms of numbers nobody yet knows how many are on the hard drive if any.”
The hard drive could possibly have a download of the entire TAFMIS database?
MoD: “I just don’t know. All I know is that it [the portable missing hard drive] was connected to the TAFMIS database as part of a test of some changes to the database.”
Does EDS have to have live data to do a test?
Mod: “You need to speak to EDS … As far as I known it’s better to have live data to run a test.”
People may have concern generally that the Mod is not in a position to know whether a private contractor has a download of a large government database or not. Are staff at the private contractor allowed to take a download of a government database onto detachable hard drive?
MoD: “That would be something under the terms of EDS’s contract which is something I am not privy to. I do not know for certain. I am not aware that anything EDS has done is against procedures. It’ll be part of the investigation to discover whether everyone has behaved the way they needed to behave.”
The [Sir Edmund] Burton inquiry looked into a [separate] loss of information from the TAFMIS database?
MoD: “Indeed. That’s why that figure of 600,000 is being bandied around. That was the number affected by that [stolen laptop in January 2008] incident. TAFMIS is a rolling collection of data. TAFMIS will have those details on it.”
Who is responsible for the TAFMIS data?
MoD: “EDS administers the data. We own the data but EDS runs the kit. That hard drive is theirs.”
So one of the things you’ll be looking into is whether EDS staff should have access to the data itself?
MoD “… The Secretary of State has said that we will be looking at EDS and how we use them as part of our overview of this. We will be looking at this in totality, not just the loss of the hard drive. The MoD police are investigating this with EDS.”
The hard drive was only discovered as being missing as part of a general audit following the missing CDs at HM Revenue and Customs?
MoD: “The Cabinet Office data handling review required audits to take place. In conducting the audit it was found that this hard drive was unaccounted for. We were told on Wednesday [8 October 2008].”
The drive could have gone missing some time ago?”
MoD: “We don’t know. That will probably be part of the investigation. I want to stress but not everybody has quite understood – people are talking as if we have definitely lost this data, as if 1.6 million passport and bank details have been lost – that this is the not the case. We cannot say for certain whether anything has been lost and it certainly would not be that order of bank details. [Fewer than one 1% of those on the TAFMIS database have their bank details stored on the system.]”
We [Computer |Weekly] may point out that such are the security and audit mechanisms that nobody seems to know whether there is information on the missing hard drive?
MoD: “We are vulnerable to that criticism, it would be fair to say. We know what it was attached to, and so we know what the scope is.”
Last month the Secretary of State for Justice, Jack Straw, ordered an inquiry into the loss of a computer hard drive containing the details of up to 5,000 employees of the justice system.
He was also trying to establish why he was not told of the loss, which happened in July 2007.
Jack Straw said in a statement: “I am extremely concerned about this missing data. I was informed of its loss at lunchtime today and have ordered an urgent inquiry into the circumstances and the implications of the data loss and the level of risk involved. I have also asked for a report as to why I was not informed as soon as my department became aware of this issue. My officials are also in touch with EDS as part of these processes. We take these matters extremely seriously.”
A Ministry of Justice spokeswoman added: “We believe nearly all of this data related to financial information – for example, invoices from Prison Service suppliers.
“However, we believe there is also a limited amount of personal information on around 5,000 NOMS [National Offender Management Service] employees including their names, dates of birth, National Insurance numbers and employee numbers.”
MoD loses hard drive – Computer Weekly website
MoD statement on missing EDS hard drive – MoD website
EDS again? – Stuart King’s Blog
BBC News on missing hard drive – 10 October 2008
Mod TAFMIS laptop theft – report from June 2008
Army rumour network – discussion on TAFMIS hard drive loss
Personal details of British Armed Forces lost – IT security portal