Data on children of armed forces personnel exposed in breach

The personal data of 4,142 children and families of serving UK armed forces personnel was exposed last year in a data breach at the Ministry of Defence (MoD), one of seven personal data-related incidents reported to the Information Commissioner’s Office (ICO) during the 2020-2021 reporting year.

The breach, which was revealed in the MoD’s Annual report and accounts 2020-21, related to children attending MoD Schools, and occurred after an email address associated with MoD schools was compromised for a 72-hour period in February 2021.

MoD schools provide education to the children of service personnel and MoD-entitled civilians, contractors and fee payers posted overseas. The facilities are predominantly focused on early years and primary education and are located on military bases in Belgium, Brunei, Cyprus, the Falkland Islands, Germany, Gibraltar, Italy and the Netherlands.

The service also provides educational support and guidance for the children of service members attending local schools in allied states that do not themselves host UK bases – such as Australia, Canada and the US – and maintains the Queen Victoria boarding school in Dunblane in Scotland.

Computer Weekly understands that the breach related to the MoD's schools in Belgium, and that the account was compromised and used to send spam emails to users in its address book. The department subsequently regained control of the rogue account, and the MoD conducted a full investigation, but found no evidence of data exfiltration.

"We take the security of MoD personnel, systems and establishments very seriously. As soon as these incidents were reported, their severity was assessed and passed to the ICO in line with our obligations under the law," said an MoD spokesperson. "The ICO has not raised any concerns about MoD's handling of these incidents".

The ICO additionally confirmed it had been notified about the incident, and said that having provided guidance to the MoD, it closed its case taking no further action.

Other reportable incidents included a May 2020 breach in which the identity and home addresses of 147 MoD personnel was accidentally emailed to external organisations, including journalists; an incident that saw details and images of an injured individual taken from an incident logbook posted to social media; an incident in which court documents were incorrectly redacted, exposing the data of five individuals involved in a legal case; while in another court-related incident, an unredacted copy of criminal allegations was incorrectly passed to the accused, revealing the identity of the victim and witness statements.

The ICO was also notified of incidents including the posting of information on cadets and adult volunteers posted in a closed social media group, and the accidental posting of a member of public’s question to their MP to the House of Commons website.

Non-notifiable breaches included 27 instances where inadequately protected MoD devices or documents were lost on government premises, seven instances where they were lost outside government premises, two insecure disposals of inadequately protected documents, 479 incidents of unauthorised data disclosure, and 37 classed as ‘other’.

All told, the MoD reported 552 non-notifiable incidents, up from 546 in the year ending 31 March 2020.

Donal Blaney, founder of cyber ligitation practice Griffin Law, called on the ICO to investigate thoroughly. “Our courageous soldiers, sailors and air force personnel are willing to sacrifice their lives – often working under cover and in extreme conditions – so we can live in safety and freedom,” he said.

“The least the MoD could do is keep these brave heroes’ personal data safe and secure. Instead, their identities, and potentially the safety of their families and friends, have been put at risk by pen pushers.”

Tessian co-founder and CEO Tim Sadler added: “People are handling more data than ever before, and with that comes the inevitability of human error. Mistakes happen and, unfortunately, they can result in serious incidents which compromise data security and privacy. For example, emails being sent to the wrong person continue to be one of the leading causes of data breaches today.

“Organisations, therefore, must have security measures in place to prevent people’s mistakes before they turn into data breaches, and they must find ways to support staff who have access to large amounts of valuable or sensitive data to lower the risk of regulatory violations. 

“It is critical that employees are given the training they need to make the right cyber security decisions and that security teams have greater visibility to respond quickly to incidents as and when they happen,” he said.

This article was updated at 9:45am on 1 February 2022 to incorporate a statement from the MoD and additional information supplied by the ICO.