Three times unlucky for armed forces applicants

Over 1.7 million names may be on the drive lost by EDS. To make matters worse, no one is really sure what is on the disk, or whether it was encrypted.

The loss of a hard drive by Ministry of Defence contractor EDS, revealed last week, is starting to look more serious. It also marks the third time personal data about armed forces recruits has gone missing in the last two years.

Initially, it was thought the drive lot last week held details of 100,000 army personnel, but now the figure has risen to a possible 1.7 million. Worryingly, no-one is really sure what is on the disk, or whether it was encrypted.

In a written statement, Armed Forces Minister Bob Ainsworth told MPs the information, which went missing at an EDS site in Hampshire, was "unlikely" to have been encrypted.

He went on to say that the disk, whose whereabouts are still unknown, "may, in the worst case, contain details relating to 1.7 million individuals who have enquired about joining the armed forces."

The records may range from people who have made casual enquiries about joining the forces, in which case just their name and address would be included, to those who had applied to join.

"In some cases this will include personal information such as next of kin details, passport and National Insurance numbers, drivers' licence and bank details and National Health Service numbers," Ainsworth said.

The most worrying part of the statement came when he sought to explain why information might not be encrypted: "EDS assesses that it is unlikely that the device was encrypted because it was stored within a secure site that exceeded the standards necessary for restricted information."

That is a very revealing comment. It's like saying that if you have a strong enough lock on the front door, you can leave all your precious jewellery lying around the house. As every security professional knows, good security depends on multiple defences. If that really is the EDS approach when dealing with MoD data, then it needs changing.

To make matters worse, this is not the first time similar information has gone missing. Back in January an officer from the Royal Navy had a laptop stolen from the back of his car. The machine in question held data on 600,000 people who had applied to join the armed forces, and their personal details apparently included National Insurance numbers, medical details and the bank information of around 3,500 people.

As we reported here at the time, the MoD had recently been conducting a recruitment drive in the West Midlands, an area with a high proportion of Muslims, Since Muslims in the armed forces have been targeted in the past by terrorists, the risk of personal data falling into the wrong hands goes well beyond a bit of credit card fraud or identity theft. Potentially, there are lives at stake.

As we also reported, when the then Defence Secretary Des Browne gave a statement to Parliament on the matter, he revealed that another laptop containing much the same data had been stolen back in 2006.

The Cabinet Office ordered a review of data handling. On January 21, Cabinet Secretary Sir Gus O'Donnell sent an email to all department senior managers saying: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises. Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

As we have now seen, that advice needs to be extended to include sub-contractors and business partners – and backed up by large fines or prosecutions. This unending series of blunders is beginning to look like something out of a 'Carry On' film, except that the consequences could be no laughing matter.

Read more on Security policy and user awareness