« Independent Barring Boards and the Data Protection Principles | Main | Des Browne now admits to 3 stolen, unencrypted Ministry of Defence recruitment laptop computers »

Ministry of Defence 600,000 recruitment records on stolen laptop - ignorance or "Data Traitor" malice ?

The Ministry of Defence appears to have been infiltrated by Data Traitors:

MOD confirms loss of recruitment data

[...]
The Ministry of Defence can confirm that a laptop was stolen from a Royal Navy officer in Birmingham last week, on the night of 9/10 January, and as a result, a large quantity of personal data has been lost.

[...]

The stolen laptop contained personal information relating to some 600,000 people who have either expressed an interest in, or have joined, the Royal Navy, Royal Marines and the Royal Air Force

The information held is not the same for every individual. In some cases, for casual enquiries, the record is no more than a name. But, for those who progressed as far as submitting an application to join the Forces, extensive personal data may be held, including passport details, National Insurance numbers, drivers' licence details, family details, doctors' addresses and National Health Service numbers.

The Ministry of Defence is treating the loss of this data with the utmost seriousness. We are writing to some 3,500 people whose bank details were included on the database. Action has already been taken with the assistance of APACS [Association for Payment Clearing Services] to inform the relevant banks so that the relevant accounts can be flagged for scrutiny against unauthorised access.

[...]


Given all the recent publicity over the still not yet resolved HMRC data privacy and security scandal, there is no possible excuse of ignorance for the Ministry of Defence generally, and their Recruitment bureaucracy in particular, to have allowed this latest data security breach, involving a stolen laptop computer, which, for no good reason, contained over 600,000 people's records.

These are not just random members of the public, they are people who have expressed some interest, or who have actually supplied extensive personal details, as part of the process of being recruited into our Military frontline and support forces.

After all the HMRC and other recent data security and privacy breach publicity, this incident cannot be the result of ignorance.

There must be some malice involved, an actual betrayal of trust and national security which potentially puts people's lives at risk i.e. the people responsible are Data Traitors

Have they been bribed or coerced, or are they working to deliberately put such data at risk, for ideological reasons ? Is this the work of Al Quaeda or Taliban sympathisers, or of Russian or Chinese spies ?

This is not the first time that MOD laptop computers have been lost or stolen:

Written answers Wednesday, 22 June 2005

Lynne Featherstone (Hornsey & Wood Green, Liberal Democrat) |

To ask the Secretary of State for Defence how many laptop computers have been used by (a) Ministers, (b) special advisers and (c) officials in his Department in each year since 1995; how many have been (i) lost and (ii) stolen in that period; what the cost was of the use of laptops in that period; and if he will make a statement

Adam Ingram (Minister of State (Armed Forces), Ministry of Defence)

[...]

The approximate number currently in use (covering laptops purchased in the last four years and held by both MOD civilians and Service personnel) is estimated to be in the order of 46,000 at an overall cost of £69 million.

75 laptop computers belonging to the Ministry of Defence (including the armed forces) are recorded as having been lost and 590 as having been stolen since 1995.

The Ministry of Defence is alert to the vulnerabilities of laptops and security policy and procedures are continually being reviewed and revised to introduce measures to reduce the numbers of laptops stolen or lost, and to mitigate the impact when losses occur.

Why then, has this current data security scandal happened ? Will any senior Sir Humphrey's take the blame and resign ?

Following the HMRC scandal late last year, the interim report by Robert Hannigan, the newly appointed Cabinet Office Head of Intelligence, Security and Resilience:- Data Handling Procedures in Government: Interim Progress Report (.pdf 999Kb - only 14 pages) has a short section by the Ministry of Defence, claiming that all is well:

32. The Ministry of Defence has reassessed its policies and procedures in light of the incident with HMRC data, and is taking forward work to ensure that bulk data transfers are better protected and will make more explicit the need for early involvement of Data Protection Act specialists. MoD is seeking to achieve the same consistency in assessing the sensitivity of non-operational data in terms of impact level and classification as it routinely does with operational and research-based systems.

See our previous blog article: Poynter and Hannigan review reports fail to reassure anyone about UK Government data security and privacy issues - final reports delayed until after the May 2008 Local Elections ?

The MOD spokesweasels claim that

The Ministry of Defence is treating the loss of this data with the utmost seriousness.

If that was true, then either the junior Minister of State for the Armed Forces Bob Ainsworth or, preferably, the useless Des "Swiss Tony" Browne, the part time Secretary of State for Scotland (and also for Defence) would already have resigned from office, but they Labour Ministers have no sense of honour or duty, and will, on past performance, attempt to shift the blame onto their junior staff.

The MOD press release tries to divert public attention from just how serious this data breach is, by playing up the relatively minor potential bank fraud aspects of this scandal, something which the mainstream media are swallowing, and regurgitating:

We are writing to some 3,500 people whose bank details were included on the database

How about physically re-locating the families of the people whose lives this breach puts at risk ?

It would not surprise us, if, just like the HMRC scandal, the Ministry of Defence letters actually contain the bank account details of the the people they are warning.

Note that there does not seem to be any actual public apology for this scandal.

The national security implications for the personal safety of members of the armed forces and their families, outweighs any public interest in a criminal prosecution of opportunist thieves, if that turns out to be who have stolen the laptop computer.

Remember, thatAbu Bakr Mansha was convicted under the controversial Terrorism Act 2000 section 58 Collection of information, and was sentenced to 6 years in prison, for the possession of just one, out of date, home address of a serving soldier.

We think that this stolen laptop data would be of enormous practical value in aiding terrorist attacks and espionage by foreign intelligence agencies.

Members of the armed forces, or their families, or the patriotic people who were simply considering a Military career, now face potential physical attacks or postal, telephone or email threats and harassment, if this data gets into the wrong hands.

What should be done about this scandal ?

The media, opposition politicians and the general public should demand:

  • An immediate, substantial monetary cash reward for the safe return of the missing computer, "no questions asked". This should be offered now, not in a month's time, when the trail has gone even colder.

    As with the missing HMRC CDs, Spy Blog, is willing, to offer a little help (but not, unfortunately, any cash) , to act as a proxy cut-out, between anyone with with information about the whereabouts of these missing items (CDs or laptops computers). In the unlikely event that anyone with such knowledge wishes to contact the authorities, or even the mainstream media, then they can contact us via email or via the comments on this blog, anonymously.

    They might find our Hints and Tips for Whistleblowers suggestions to be of some use, in preserving their anonymity if they do try to contact us or the media or the authorities with information or the actual laptop.

    The offer of any such Reward should not make it any more likely that MOD or Military laptop computers will be deliberately stolen for their data, rather than just for their intrinsic value as laptop computers by opportunist thieves, if the next point is implemented at once.

  • An immediate confiscation of all laptop computers in the Ministry of Defence , and ideally throughout Whitehall, which are not yet running UK Government approved strong , whole disk encryption.

    The technology to do this has been available for several years. The former UK Government developed hard disk encryption product called Kilgetty used to use the UK Government developed Red Pike algorithm and Government issued key material, but now it uses commercially available AES encryption algorithm based software.

    It would cost less to upgrade the existing and stock of unencrypted laptop computers, than has already been wasted on Police and Customs resources in searching for the missing HMRC CDs and for this stolen laptop computer (over a million pounds already, and counting)

  • Prosecutions under the Official Secrets Act . The UK Government Protective Marking level for data records, should normally be increased by a level or two, if they are collected together in one place, in vast numbers. Even if an individual record was only classified at the lowest level of Restricted, surely 600,000 of them together would justify a level of Confidential, or, since these involve Military personnel, the next level up of Secret ? Handing over so much Confidential or Secret data, without encryption, to someone who takes it out of a secure building, should merit prosecution of everyone involved, under the Official Secrets Act 1989 section 8 Safeguarding of information
    or if he fails to take such care to prevent the unauthorised disclosure of the document or article as a person in his position may reasonably be expected to take.

  • Disciplinary action, including Courts Martial, for negligence and breach of duty, not just against the Naval Officer who is alleged by the media to have left the laptop computer in a car overnight in Birmingham, but also, crucially, of his superiors, who have somehow allowed 600,000 records to be downloaded onto a laptop computer in the first place.

    Nobody can read or make sense of that amount of data. If it was being used for statistical or even mailshot purposes, it had no business being on an unencrypted laptop computer exposed outside of a secure building.

If the Ministry of Defence cannot be trusted to keep sensitive personal recruitment details of their own staff and of potential recruits, safe and secure, then why should the Public trust the even less competent Home Office, to keep the National Identity Register centralised biometric database safe ?

Please support the support the NO2ID Campaign - "a single-issue group focussed on the threat to liberty and privacy posed by the rapid growth of the database state"

Comments

Please investigate why the government and banks do not exploit proposed ID KEY system to combat fraud because only this system will deter anyone from getting tempted to misuse our stolen personal and card details.


Dear Sir/Madam


Following report validates my claim that our current systems are not good enough to deter fraud crimes and hence the need to exploit ID KEY system described on website www.xwave.co.uk is now a MUST. There is the only system which will deter fraudsters from misusing our stolen personal and card details.

Fraud is real and security a must
What PC? - UK
Identity theft costs the UK economy more than £1.7bn per year, according
to the UK's fraud prevention service Cifas. Such costs should help
illustrate why ...


Please make the Home Office, APACS, FSA, Police and media give me the opportunity to prove my claim that ID KEY system will deter virtually all fraud crimes other systems will fail deter with minimal effort, cost and delay.

Thank you.

Regards
Yogesh Raja (Executive Director)

Visual Security International Limited , 9 Bond Close, Aylesbury, Bucks. HP21 8FZ, U.K.

Mobile 07989 344509 Website www.xwave.co.uk Email ykr@btinternet.com

WARNING: Idea of ID stickers and Card Key Code used in ID KEY system are rights protected by granted patents while the stationary used is protected by copyrights. U.K. (Patent no. 2301555 and 2334362), Europe (Patent no.EP0748285 which covers 15 countries) and U.S.A. (Patent no. 5,884,942)


@ Yogesh - you are making David Blunkett style exaggerated claims for your product (or is it just a patent ?).

Your product, like the Government's ID Card, cannot work online over the internet or via a phone call, which is how the majority of Customer Not Present fraud occurs these days.

How is a shopkeeper, who has never seen you before as a customer, and who has never seen your "real" signature, going to be able to actually verify it any better off a pre-printed sticker, than by obtaining it directly ?

Your scheme is obviously not the only system which will deter fraud !

You are also repeating the Labour Government lies about the alleged £1.7 billion annual cost of "identity fraud", a figure which is itself as fraudulent and inaccurate and exaggerated as their previous guesstimate of £1.3 billion a year.

"Ïdentity theft" is not the same as credit card or cheque fraud.

See our previous blog article which debunks such hype:

Andy Burnham's "£1.7 billon identity fraud" figure is as false as the previous £1.3 billion one


The issue here is not so much about the loss of the laptop and any related incompetence, it's about why the MoD has all that data in the first place. Passport details, driving licence details, family details and much more is of no concern - gnerally - to the MoD, so why do they, like so may other organisations, insist on collecting it?


The Sunday Telegraph has some more details

Laptop held 10 years of servicemen's details

By Sean Rayment
Last Updated: 11:13pm GMT 19/01/2008

The personal details of servicemen and women who joined up more than 10 years ago were held on a laptop computer stolen from a junior naval officer's car.

[...]

It is understood that the latest theft took place outside the home of a junior recruiting officer in Edgbaston, Birmingham, last weekend. Sources said the officer is unlikely to be court-martialled but will face an MoD inquiry, possible disciplinary action and questioning by police investigating the theft.

It is understood that two separate databases were downloaded by the officer, including one with details dating from the late 1990s. Among the 600,000 names were full details of about 150,000 personnel and the bank details of 3,500 servicemen and women.

[...]

Therefore the personal details of some , or perhaps most, of members of the Special Forces and of Muslims who have joined the Armed Forces, who are particularly at risk as targets of terrorists (both Irish and Al Quaeda and Taliban) have been betrayed by this "junior naval officer", and by his superiors who have allowed such a disaster to be physically possible.

There must be resignations and prosecutions.

It will be interesting to see how Defence Secretary Des "Swiss Tony" Browne tries to weasel word any blame away from himself or other Labour Ministers, when he makes a statement to Parliament, hopefully on Monday.

It will also be interesting to see what Lord West of Spithead, the Home Office junior Security Minister will say, given that he himself was guilty of losing classified documents relating to Naval budget cuts, which then "leaked" to the press, when he was a Naval officer.



It actually beggars description that anyone would leave a lap top in a car particularly when it contained personal details. Theft from cars is notorious in that area of Birmingham and, assuming that even the M o D has some basic rules for staff who take what is public property with them, then I can only see this as negligence and as such gross misconduct which, if proven, is a dismissable offence.

The fundamental question is however what on earth was the necessity for such information to be taken out of the office anyway?


The Sunday Times implies, reasonably, that the Royal Nay officer was working at the Armed Forces Careers Office in the Pallisades shopping centre above New Street railway station, in the centre of Birmingham

Muslim troops at risk after laptop theft

[...]

The information was not encrypted and would therefore be accessible to anyone with basic technical knowledge. But the possibility that serving Muslim personnel and recruits could be singled out if the data fall into the wrong hands is causing growing concern among defence officials.

[...]

The laptop was stolen during the night of January 9-10 from the boot of a car belonging to a junior navy officer who worked in naval recruiting and the material is said to have been collated at the Armed Forces Careers Office in Birmingham. The officer has been questioned by West Midlands police who are investigating the theft.

The office is based in the Pallasades shopping centre, above Birmingham’s main railway station

[...]

Such a location in a shopping centre, is not as physically secure as a military base with armed guards to hand, is it ?

How many other people working in such physically vulnerable locations , using using telecomms infrastructure which is easily accessible to their civilian neighbours, have access to download such large amounts of classified sensitive personal data, from the supposedly secure central Ministry of Defence or the individual Armed Services personnel databases ?


The BBC reports a description of the missing laptop computer:

[...]

The missing laptop is a black COMPAQ Evo N600c with a 1.5in silver line running top to bottom, right of centre, and with the words COMPAQ in red ink.

It also has a fixed mouse area with a blue rubber cursor button between keys.

[...]

The black left rubber foot on the underside of the laptop is possibly missing and one of the catches on the lid is possibly broken.

According to police, the laptop was stored in a black fabric case when it was taken, and it went missing along with a silver Nokia 6030 mobile phone.

[...]

Has there been a team of armed Police and / or SAS troops on standby, to descend on wherever this mobile phone is switched on, thereby, revealing its approximate location to the mobile phone network ?

Has an SMS text message offering a substantial reward, no questions asked, been sent to this mobile phone ?

If not, then why not ?

N.B. there is currently no such laptop computer description, or appeal for help, or related press release on the West Midlands Police website

The Government is not taking this scandal as "seriously" as it should be.


Post a comment