Data loss could cost EDS, leading to financial and staff penalties

An EDS security breach involves data loss from an unencrypted hard drive holding personal info on British armed forces members. EDS had prior data leakage issues, one involving a lost laptop. The corporation could face costly financial and staff penalties, Official Secrets Act violations and should better enforce security requirements.

EDS could face stiff financial penalties after it emerged that the IT contractor has lost a portable hard drive containing the personal details of about 100,000 members of the British armed forces. Some staff could also be prosecuted under the Official Secrets Act, lawyers say.

The drive is thought to contain personal information including bank and driving licence details, passport numbers, addresses, dates of birth and telephone numbers. Details of 600,000 potential recruits may also be on the disk, which was not encrypted.

In a statement, the Ministry of Defence said: "On 8 October we were informed by our contractor EDS that they were unable to account for a portable hard drive used in connection with the administration of Armed Forces personnel data. This came to light during a priority audit EDS are conducting to comply with the Cabinet Office data handling review. The MoD Police are investigating with EDS."

The loss is just the latest in a whole string of similar events, and comes just a month after it emerged that EDS had lost a hard drive containing the details of 5000 prison employees in 2007, and had kept quiet about the fact for more than a year.

It also follows the revelation in July that the MoD had lost 658 laptops in the last four years.

The latest loss puts EDS is a difficult legal position, according to Susan Hall, a partner and IT expert at law firm Cobbetts LLP. "It seems bit odd that that the data was held on a device that was both portable and unencrypted. Because it is personal information, it would be open to action under the Data Protection Act. Most of the Act's eight principles have been spectacularly breached."

More seriously, individuals could be liable to prosecution under the Official Secrets Act, which is already being used against a Cabinet Office official who left top-secret papers on a train in September.

Hall added that any contract between the government and EDS would include clauses to cover security of confidential information, and could lead to financial penalties being levied. Even if the disk is never found, extra protection may have to be provided for some of the people on file, just in case their details are leaked.

Industry reaction to the breach was a mixture of shock and disbelief. "The stupidity of many of the outsourcing companies is flabbergasting," said Clive Longbottom, service director at research company Quocirca Ltd. "OK - the government has been slow in making sure that policies are in place to safeguard information inside its own perimeter, but outsourcing companies should be the ones showing the way, ensuring that they are squeaky clean.

"The biggest problem, as always, is the individual. With the majority of large outsourcing companies running as sets of loose fiefdoms, individuals tend to believe that the rules are for everyone else - that they are too important to spend time following such niceties. With their work being spread around with little centralised control, this slapdash approach can keep occurring. Also, with little in the contract of employment to make it a sackable offence not to take reasonable care of a customer's data, little can be done against an individual. "

Longbottom said it was now down to the government to mandate data security with all companies that it deals with. "It should dictate the manner of encryption (a minimum level, at least), it should dictate procedures for the handling of data on movable media. It should dictate the results of non-compliance - at a financial, business and brand level. The government should make it that any data breach has to be made public within a stated period of time, and who that breach was made by and how. The same should be the case for any business - only by doing this will the outsourcing community be forced to put its house in order."

Whatever happens, EDS (now owned by HP) is unlikely to lose government contracts, in the short term at least. As the EDS website boasts, the company is prime contractor on many of the MoD's major IT programmes, and is working on several other major government projects. While PA Consulting recently lost government business in the wake of a similar security breach at the Ministry of Justice, EDS is too tightly involved in strategic programmes.

No one at EDS was available to talk on the record, but the company issued a statement saying: "Following a data audit that we carried out under the terms of the Cabinet Office's Data Handling Review, we have been unable to account for a removable hard drive that was held in a secure location at our facility in Hook. We informed the MOD on Wednesday 8 October and we are working with them to investigate this, including to establish what data may have been on the hard drive. There is no evidence that security at the site has been breached."

Read more on Privacy and data protection