A Ministerial Written Statement confirms the story in The Sun, and our speculation that it was the TAFMIS (Training Administration and Financial Management Information System) database which has been lost, yet again:
See the previous Spy Blog article - The Sun: MoD data on 1m is missing - EDS again
13 Oct 2008 : Column 28WS
Data Security
The Minister for the Armed Forces (Mr. Bob Ainsworth): The House will be aware that the Ministry of Defence is investigating the disappearance of a computer hard drive from the premises of a contractor, EDS, at Hook. This incident has happened in part as a result of the work that the MOD has been doing in partnership with EDS to implement the requirements of the Cabinet Office's data handling review (DHR) and our own action plan following Sir Edmund Burton's review into data handling in MOD. This process of departmental improvement will continue to root out and expose areas where shortcomings need to be tackled.
In this most recent case, whilst conducting an audit of storage media, EDS found that it could not find a removable hard disk drive. Under the terms of its contract EDS is required to protect all personal information in its care. The hard drive had been used with the TAFMIS recruitment system and may, in the worst case, contain details relating to 1.7 million individuals who have enquired about joining the Armed Forces.
13 Oct 2008 : Column 29WS
For casual enquiries this will include no more than a name and contact details, but for those who applied to join the forces more extensive personal data may be held. In some cases this will include personal information such as next of kin details, passport and national insurance numbers, drivers' licence and bank details and national health service numbers. EDS assesses that it is unlikely that the device was encrypted because it was stored within a secure site that exceeded the standards necessary for restricted information.
So what ? That is no excuse.
Firstly there should not be any doubt at all, as to whether or not the data was encrypted, either it was encrypted as a result of the crash programme to do this after the scandal of the unencrypted TDMIS laptop computers discovered in January, or it was not encrypted.
Secondly, there is no way that the entire 1.7 million record TAFMIS database could possibly have been correctly classified as only being at the low, Restricted level of Protective Marking.
Perhaps individual records could be at this level, but it is a well established, standard operating procedure, that the level of Protective Marking, for such large aggregations of low level Restricted data, should be bumped up to Confidential or Secret, with all the extra precautions and expense that entails.
The Cabinet Office Data Handling Review demands extra precautions when a paltry, arbitrary, one thousand records are collected together into a file or database which could be lost or stolen. Surely it should be obvious that hundreds of thousands or millions of records deserve even more care and precautions ?
An investigation is being conducted by the MOD police. The MOD has set up a help line for those who may be affected by this incident, and for those individuals whose financial details may be involved, action has been taken through APACS (the Association for Payment Clearing Services) to inform banks so that the relevant accounts can be flagged for scrutiny against unauthorised access.
So they are going through the same motions that they did last January, when the laptop computer with virtually the same TAFMIS database was stolen from a parked car in Birmingham - this has still not been recovered.
So all that work and expense, back in January, was a waste of time and money.
How much public money has this scandal cost, so far ?
As a result of the review conducted earlier this year by Sir Edmund Burton,
Link to download Sir Edmund Burton's Review into the MoD recruitment laptop theft scandal
the MOD is clear about the crucial need to implement wholesale improvements in how we store, protect and manage the use of personal data. We are also clear that we need to effect a significant behavioural change among our people at all levels. We are currently engaged in a comprehensive programme to do all of this. The MOD is a large Department operating many complex data systems world wide, often at very short notice and under extreme conditions. This presents additional challenges and risks in the implementation of rapid change--however we are determined to ensure that we effect that change.
A weasel worded bit of spin.
The UK based TAFMIS recruitment database is not an example of
"operating many complex data systems world wide, often at very short notice and under extreme conditions", is it ?
There are no harsh physical environments or active combat situations whatsoever, at the regional military recruitment offices or personnel head offices, in the United Kingdom, where the TAFMIS database is used or maintained, are there ?
We have pursued the task with urgency and commitment and in the process we have identified further opportunities for improvement.
Translation: we have found a lot more data security and privacy scandals, which have not yet been leaked to the mainstream media.
The progress that the Department has made to date is consistent with that required by the DHR timetable and the commitments we have made to the Information Commissioner. Some of the greatest challenges that we have had to overcome relate to incorporating stricter data handling standards into existing contracts and their related systems retrospectively.
Why does the simple concept of asking whether or not the supplied or promised Goods or Services are Fit for Purpose, not suffice ?
We have undertaken a series of comprehensive reviews into our personal data holdings, looking wider than our personnel systems, and assess that we hold in excess of 200 million records. By the end of October, as agreed, all personal data held by MOD will be under the new governance regime required by DHR. This work relies heavily on reciprocal commitment from our key suppliers. Central to it is our continuing detailed census of storage as part of our commitment to good data management.
Why are they pretending that this is something new ? Previous military IT systems and contracts used to have all this built in from the start.
Who are the individuals who authorised a change to the current, obviously insecure procedures ?
In line with this, it is intended to reveal whether any storage devices cannot be accounted for. Such cases are treated very seriously with immediate action to investigate the loss, engage individuals who might be at risk of compromise and alert the Information Commissioner. This process led to the discovery of the missing hard drive at the EDS site in Hook.
"very seriously" - the Ministry of Defence seems to have corrupted the meaning of this bit of the English language to mean the exact opposite of its normal usage.
If they had really taken things "very seriously",
The fact that this event, and another involving a suspected theft at Innsworth, has occurred on a high security site manned by cleared personnel illustrates the need continually to review and enhance our arrangements for personal data. This work relies heavily on reciprocal commitment from our partners.
It also illustrates the lies being peddled by Home Office Ministers, with regard to to the alleged security of the National Identity Register, and all the other centralised databases which they claim to protect to standards which are no better than the failed Ministry of Defence ones.
The Information Commissioner's Office recognises that we may uncover further issues as we implement our assurance regime. This is a direct result of emplacing an
13 Oct 2008 : Column 30WS
effective approach to data security. The implementation of our action plan remains on track to be compliant with the requirements of the Burton review by the end of March 2009 and likewise the requirements of DHR by October 2009. We will update the House as required.
What financial sanctions are being taken against the relevant Ministry of Defence managers and the management of EDS, who are clearly in breach of their commercial contract, ?
All of the Ministry of Defence officials and EDS managers responsible, have committed a criminal offence under the Official Secrets Act 1989 section 8 safeguarding of information, and should be prosecuted.
The controversial Counter-terrorism Bill 2008 section 83 Offences relating to information about members of armed forces etc. seeks to amend the Terrorism Act 2000 to create a separate "thought crime" offence, punishable by up to 10 years in prison for
1) A person commits an offence who--(a) elicits or attempts to elicit information about an individual who
is or has been--(i) a member of Her Majesty's forces,
(ii) a member of any of the intelligence services, or
(iii) a constable,
which is of a kind likely to be useful to a person committing or preparing an act of terrorism, or(b) publishes or communicates any such information.
What is the point of this, when the entire TAFMIS military recruitment database , with the details of hundreds of thousands of current and previous members of the armed forces has now been lost or stolen on at least 3 occasions ?
These data losses should be enough reason for GCHQ to abandon confidence in maintaining any records of personal emails and calls - that's an accident waiting to happen . I am not relaxed with the thought that bureaucracies have difficulties with complexity either !