Spy Blog - SpyBlog.org.uk

As police investigations of the theft are at an active stage, I am limited in what I can say about the incident. It occurred on the night of Wednesday 9 January in Edgbaston, Birmingham. The laptop was left in a car that had been parked overnight and was unattended. That was a breach of security regulations. The stolen laptop contains personal information on about 600,000 people, the majority of whom had simply expressed an interest in joining the Royal Navy, the Royal Marines or the Royal Air Force.

Note that there is no mention of Army recruitment, either here or later on in the statement.

It is not clear to me why recruiting officers routinely carry with them information on such a large number of people--or, indeed, why the database retains such information at all.

The implication of these words is that this data breach involves many more people than just the one Royal Navy officer whose laptop computer was stolen.

A possible reason why military recruitment personnel might feel that they need to have copies of large databases on their laptop computers is that there might be a penny pinching lack of investment in reliable high speed , secure data links from the Careers Offices to the central databases.

The information held is not the same for every individual. In some cases the record may be no more than a name, but I am advised that for about 153,000 people who progressed as far as submitting an application form to join the forces, more extensive personal data are held, including passport details, national insurance numbers, driver’s licence details, family details, doctors’ addresses and national health service numbers; for about 3,700 people, banking details were also included. The records largely date back to 2003, although some records may date back as far as 1997.

This must represent a large proportion of those people who are currently serving, or are recent serving members of the armed forces.

Ministers were informed of the loss of the laptop on Friday 11 January, although at that point it was believed that the data were fully encrypted. That is relevant because the level of encryption used by the Ministry of Defence on its computers is stronger than that used for commercial applications

No it is not ! The best military and commercial applications of encryption produce the same result - information which is unreadable by unauthorised people for the foreseeable future, using all the theoretically available technical and human resources in the universe.

For example, the UK Government approved Killgetty full disk encryption software now uses commercially available AES algorithms to provide the same level of security (up to Top Secret) as previously CESG / GCHQ developed UK Government encryption algorithms.

and our IT authorities judge that a significant amount of time, resources and, in particular, expertise would be needed to access such data in a readable format.

That implies that it may somehow be humanly possible to access Ministry of Defence encrypted data if the such encrypted data fell into the hands of a foreign government.

Is this an admission by Des Browne of failure and a lack of confidence in the Ministry of Defence's encryption systems, or is it simply that he and and his spin doctors are clueless about encryption ?

The fact that the data were not encrypted was reported to Ministers on Monday 14 January.

The laptop was stolen "on the night of Wednesday 9 January", so why did it take 5 days to admit that the data was not encrypted ?

Subsequently, the Information Commissioner and the police authorities were informed, and as an immediate precaution all similar laptops were recalled from their users and secured. That was completed by 18 January.

Exactly many other similar laptop computers are involved ?

The theft is being investigated by the West Midlands police, assisted by the Ministry of Defence police. After consultation with the police about the impact on the investigation were the theft to become public knowledge, I decided not to make a statement to Parliament last Thursday--although I was ready to do so. Unfortunately, news of the theft of the laptop was reported in the media on Friday evening and the MOD was obliged to issue a brief statement setting out the facts of the incident, as they were being reported inaccurately.

Note how Des Browne seems to be blaming the media for reporting the scandal - media spin control seems to have a higher priority than anything else.

Was it the West Midlands Police, the Ministry of Defence Police or other Ministry of Defence sources or Labour party apparatchiki who leaked the story to the mainstream media ?

The intelligence services were also informed, and asked to assess whether the incident could lead to an increased threat to our personnel. Their view, understandably, was that the risk would depend on whether the information fell into the hands of extremists, but that there was no indication that had happened.

It would be extraordinary if the intelligence services did already have evidence of the data being abused by terrorists or foreign intelligence agencies, even before the laptop thieves have been caught or the laptop has been found.

In order to do so, they would have to already have had the laptop thieves under active surveillance and investigation, presumably in the hope of catching bigger fish. If such a sting operation is in progress, then why would they compromise their operational security by telling Des Browne about it ?

We are not convinced that our intelligence agencies (or anybody else's) have magically penetrated all the espionage activities of all our terrorist and foreign intelligence agency enemies. The claim that there is currently "no indication" that the data has fallen into evil hands is weasel worded media spin.

Letters have been sent to all 3,700 people whose bank details were included in the database, and are being sent to the 153,000 people who applied to join the Royal Navy, the Royal Marines or the Royal Air Force during the relevant periods.

Will the MoD repeat the blunders made by HMRC , by sending out excessive personal information in their post data security disaster mailshot ?

Again, there is no mention of Army recruits,

Why should we assume that their details have been handled any more securely given that it is the Army recruiting and training division which keeps the data "on behalf of all three services." - see below !

An internal investigation is also under way by the MOD’s head of security into the wider security issues raised by the loss of the data. In the time available, the investigation has established that in addition to the laptop stolen on 9 January, two further laptops potentially containing similar data have been stolen. A Royal Navy laptop similar to that stolen on 9 January was stolen from a car in Manchester in October 2006, and an Army recruiting laptop, containing details of about 500 individuals, was stolen from a careers office in Edinburgh in December 2005.

Two more stolen not simply mislaid or lost laptop computers with, hopefully not as much personal data stored on them.

These incidents were reported at the time to the local police and to the chain of command, although neither theft was reported to Ministers. Those involved believed that the data were protected by encryption and so no steps were taken to inform those whose records were potentially at risk.

So was the data on these two stolen laptops "protected by encryption" or not ?

The statement casts doubt on this, so it is best to assume that the data in these two previous incidents was not properly encrypted either.

Remember that an encrypted file or encrypted hard disk etc does not adequately protect the data, if the Cryptographic Key Material is also stolen or lost at the same time e.g. if the passphrase scribbled on a post-note, or even, if, say a PGP encryption private keyring is also stored on the same lost or stolen device, or if the associated cryptographic hardware token or smartcard etc. is also lost with the laptop computer.

As I said, our internal investigation has identified weaknesses in the application of MOD security procedures to the database,

What new practical steps were taken after each of these incidents, apart from paying lip service to the existing Standard Operating Procedures and Security Policies ?

This is clearly not just a one off, isolated incident, by an idiotic or perhaps malicious individual Naval Officer, but a systemic failure, for which Ministers and senior officials must take personal responsibility and resign or be disciplined.

which is managed by the Army recruiting and training division on behalf of all three services.

The Army manages the databases for all three services, but there is no mention of any Army recruitment data on this laptop, which seems peculiar.

In the time available, it has not been possible to establish all the facts, but it is clear that the database files were unencrypted, in breach of MoD procedures, and that there were shortcomings in security training and awareness among the relevant staff. Further, although the MOD was a full participant in the Cabinet Office-led review following the loss of data by Her Majesty’s Revenue and Customs, the thefts and the failure to comply with agreed MOD procedures for the system were not highlighted by those responsible for the system during the first phase of that review.

So the top officials at the Ministry of Defence have managed to fool themselves, and the interim data handling review by Robert Hannigan at the Cabinet Office, that everything was under control in their bureaucratic empire.

Why should we have any confidence in the other alleged "extremely serious" top level reviews in the other central Government departments ?

Accordingly, following consultation with the Information Commissioner, I have invited Sir Edmund Burton to undertake a full investigation into how these weaknesses came about, including responsibility for any breach of security and accreditation procedures, and to review the steps that we have taken to prevent any recurrence. Sir Edmund is chairman of the Information Assurance Advisory Council and supports the Cabinet Office in the implementation of the Government’s information assurance strategy. He is also a former chairman of the Police Information Technology Organisation and former commandant of the Royal Military College of Science.

Sir Edmund will work closely with those in the Cabinet Office who have been reviewing procedures across Government, following the HMRC loss of data. His report will enable us to answer the questions that still need to be answered. The Information Commissioner has confirmed in particular that the review will be wide enough to address the questions that he has raised, including why a database of this size was thought necessary for field recruitment staff. It will also enable the chain of command to identify where responsibility lies and whether anyone needs to face action as a result. Sir Edmund’s full report will be made available to the Information Commissioner.

Yet Another Review ! Who would have guessed ?

Note that there is no hint of any target date by which time this review will report, except, obviously, any interim or full report will no doubt be suppressed by the Labour party spin doctors until after the May local elections, just like the other alleged Reviews.

Why is there not a continuous independent data security and privacy audit, throughout Government, with the power to stop IT projects, to fine and discipline and prosecute transgressors ?

The current Information Commissioner, CESG etc. and private sector IT security and Information Assurance people only act as consultants and advisors, and have little actual power to enforce minimum standards on penny pinching accountants and political apparatchiki who fail to allocate proper technical and human resources to securing the publics personal and national security related data.

I take this theft of personal data extremely seriously.

If that were true at least one Minister would have resigned over this affair, and several senior military officers would have been cashiered.

This must never happen again

If there is a further data theft, then will Des Browne resign ?