Have you seen my hard drive?

Today, yet another public sector body has admitted to a major data loss. This time, the MoD has launched an investigation into the loss of a portable hard drive containing the personal details of members of the armed forces, by contractor EDS. The drive could contain the details of up to 100,000 members of the armed forces and 600,000 potential recruits, according to reports.

Join the conversation

10 comments

Send me notifications when other members comment.

Please create a username to comment.

Its just another day another public sector data loss... its becoming so common now that its almost becoming a non-news story!
Cancel
This is reminiscent of what the bowl of petunias said when it hit the ground – ‘oh no, not again.’ How can these incidents still be happening? Indeed, this is the second data loss for EDS, and goodness knows how many Government details have been lost in total. It is beyond ridiculous. Once again, as we saw last month with PA Consulting, it is the third parties who have let the Government down and exposed the dangers of outsourcing critical IT. These repeated cases are systematic of people’s inability to adapt their IT security policies and procedures to the mobile data generation. In the past, data did not get stolen or lost on this scale because moving a huge, old computer was rather conspicuous. Now that we are embracing the technology of portable storage devices we have to get up to speed when it comes to their security. It’s either that or stop putting sensitive data on these devices at all.
Cancel
James is right. The complacent irresponsible attitude towards peoples personal data is unbelievable yet everyday some hapless numpty is given a device with more personal information that a crook could use in a lifetime. Whoever was responsible for that device when it was taken should be fired. And sorry Susan I dont get the petunias joke but dont worry.
Cancel
Susan, I agree. From what I've seen the data seems to have been used for the purpose of testing a new system. If this is actually the case, then there should be absolutely no reason why real live data needed to be on that portable hard disc.
Cancel
I am sure incidents like this have always in happened. In the past, I suspect data loss incidents were simply hushed up. The fact that we are hearing about so many data losses now, is probably a sign that we are being more open than we were in the past - not that people are being more careless.
Cancel
Lumension Security commented: “This latest security blunder involves unencrypted disks that contain extremely sensitive information and at this stage it is not known how long the data has been lost for. Whether data was lost by the Government or a contractor, without implementing the necessary security procedures to protect data in transit, data leakage will continue, exposing thousands of innocent people to identity theft. “This incident demonstrates that decisive and effective measures still need to be taken to protect against data leakage. Although taking control of data leakage is no mean feat, any organisation holding sensitive data needs to take responsibility for establishing and enforcing device control policies that assign permissions to individuals and devices. Moreover, all data needs to be encrypted to ensure that if it falls into malicious hands it is inaccessible and worthless. It is simply no longer enough to write a computer security policy and expect everyone to follow it to the letter. This is especially true in the case of contractors - monitoring your information and knowing where it is at all times becomes much more complex when multiple parties are involved in the process. “The proliferation of data loss occurrences due to the inappropriate or sometimes criminal use of removable media devices has reached alarming levels, with no sign of abating. The only way to eliminate data loss from removable devices is to take control of the flow of inbound and outbound data from your endpoints and encrypt the data during transmission. These solutions exist today; policy needs to enforce their usage. The Government released a report into Data Handling Procedures in June 2008 addressing this issue and we are seeing isolated moves to proactive implementation of policy, such as NHS boards across Scotland injecting funding into the improvement of IT security. But, we can only ask when will all organisations start taking this escalating data loss seriously and act preventatively?"
Cancel
It was only a month ago that EDS almost triggered a Prison Officers’ Association strike when they admitted to loosing 5,000 prison officer’s details, and now they are being held to account for this loss of 100,00 records. In the wake of PA Consulting loosing its £1.5m contract with the Home Office after it lost 84,000 prisoner details they must be wondering what punishment is in store – I certainly would like to be a fly on the wall when they find out! It is a fact of life that sometimes things get lost, but what is concerning here is that after a year of well publicised cases of data loss a government department (or consultant working on behalf of it) is still allowed to operate with disregard for the information in its charge. Gus O’Donnell was pretty clear in his statement to Parliament after cases started to come to light around this time last year, including the loss of a MoD laptop with 600,000 records on it in Jan 08 – any laptop or portable storage device moving outside of a government office and leaving the secure IT environment has to be encrypted. As an individual I am very concerned about where my personal data ends up and how it is used, and I am sure most people are the same – so, are we shouting loud enough to get this sort of thing to stop? Regular news coverage of any story can get boring and breed complacency, but I have to believe that as more people get directly affected by identity fraud or other outcomes of data loss there will be a growing voice insisting that we are better protected, and that positive action is taken against those who continue to ignore their responsibilities.
Cancel
The enemy within! This example illustrates how many organisations focus on “securing the perimeter” without sufficient regard for the potential for damage internally. Negligent as this is, focus must be put on overall accountability for lack of adequate processes, checks and enabling technology. I agree with all of the previous comments when they state that there is absolutely no reason why live data should be used for testing purposes - disguised or dummy data should be used instead. In fact, it may well be that the Data Protection Act has been broken as one of the principles of the DPA is that you shouldn't be using data for purposes other than for which it was collected. In this specific case, what is at stake is not financial loss but the lives of our soldiers. They defend our country, the least we can do is defend their data!
Cancel
The news that the MoD has lost the details of 100,000 serving personnel is yet another example of the government failing to treat the issue of data security with the seriousness it deserves. When it comes to handling data in the public sector, there appears to be a major fault line emerging between operational objectives and public expectations. Public sector organisations are ignoring their obligations whilst consumers and the public are looking for answers. Organisations need to have appropriate measures in place or are at risk of permanently harming public trust, and failing to meet their goals for transforming government. What is more, the fact that the UK currently doesn't have data breach notification legislation, means that public and private sector organisations are under no obligation to inform consumers if their data has been lost. This serves to compound consumers' lack of faith in the government's ability to protect their data and will no doubt affect the popularity of upcoming schemes, such as ID cards. Consumers have the right to know if their data has been jeopardised and it is vital that organisations realise that data management is not just about technology, but also about implementing policies to guard against data loss and educating employees on best practise. However, it does appear that those working within public sector organisations do seem to realise that changes need to be made; according to research conducted by Clearswift and IA08, the government’s Information Assurance Event, 53 per cent of public sector employees polled felt that their organisation didn’t dedicate enough time to Information Assurance (IA) issues. Added to this, 86 per cent felt that IA procedures could be improved significantly across the UK government as a whole. With this cognition happening within the public sector, it is unacceptable that significant changes to data security are not being made. The government cannot go on letting the UK public down in this way.
Cancel
Ironically, most of the information that is lost today is not actually as a result of attacks at all, it's as a result of information just simply being mislaid or lost. We know only too well how often data goes missing; often threatening companies reputations as well as personal security. Simple steps can ensure that data is secured and therefore the risk controlled. These high-profile data breaches only serve to underscore the importance of data loss prevention technologies and strategies – and these technologies are already out there. For example, Stonewood Group’s fully Encrypted Hard Drives, with a capacity of up to 500GB, combine advanced whole disk encryption with expert authentication ensuring that in the event of the computer being stolen or illegally accessed all the data saved to the computer and held on the hard drive remains inaccessible to unauthorised users. Organisations and individuals must protect data by managing and storing it on secure, encrypted devices. The importance of protecting confidential, personal details often goes unnoticed until it is too late.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close