Tag Archives: Data Loss

More MOD data goes AWOL

Posted on by

This week’s data-loss story is a Ministry of Defence hard drive that’s gone AWOL. Another example of the UK government’s seemingly bottomless commitment to freeing up access to its data, by distributing it at random around the globe.

Ministry of Defence, that was.

An investigation is under way into the disappearance of a computer hard drive which could contain the details of about 100,000 Armed Forces personnel.

And when it says detail, it means unencrypted detail:

There may also be some personal information including bank and driving licence details, passport numbers, addresses, dates of birth and telephone numbers.

Of serving members of the Armed Forces. Does information get much more personal? It’s not as if that sort of data would be any use to enemies in the ongoing TWAT. (*heavy sarcasm*)

How much confidence does that inspire in the security of the information they’ll have on us mere civilians, when the ID-card scheme includes us all? (*Rhetorical question*)

A commenter said in the Independent

The MoD didn’t lose this data, EDS did. Nobody cares about data that isn’t their own. If this data had been handled in house and the work not outsourced it wouldnt have been lost

EDS is the MOD’s main IT contractor. Here’s their web page.

.. as an HP business group, EDS delivers one of the industry’s broadest portfolios of information technology and business process outsourcing services to customers in the manufacturing, financial services, healthcare, communications, energy, transportation, and consumer and retail industries, and to governments around the world.

The About us page has US contact numbers. It seems to have been written by someone from a Dilbert cartoon. Everything they do is “innovative” and their

highquality, cost-competitive services are provided from the optimal mix of onshore, nearshore and offshore locations.

This determinedly shore-heavy focus may refer to their “related companies”(part-owned companies) which include companies based in the UAE, India (workforce:28,000+ ), the USA and other unspecified locations. One provides “Benefits, Payroll and other HR Administration services to more than 34 million active and retired employees from its client organizations.”

On the 8 September, 2008, prison officers were disturbed about EDS’s loss of their personal data, to the point of threatening a strike.

At that time, Computer Weekly pointed out that EDS already had something of a track record in the data-loss area. The Burton Review Report, published in April 2008, looked into an earlier loss of MOD personnel data, in which EDS were involved.

One of the themes emerging from the Strategy for Transformational Government (2005) was the increased emphasis on sharing services, particularly in information and infrastructure. The Armed Forces have been early pioneers of this approach, through a range of Private Finance Initiative (PFI) and Public Private Partnership (PPP) contracts. (from page 4, Burton Report)

Hmm. Need look no further for the culprit methinks: the whole processes for giving out PFI and PPP contracts.

You might assume that the UK must be desperately short of cash, if it’s prepared to hand over its most crucial information to any company that offers to undercut government employees, while providing a better service and still making a profit. (Well, it must sound convincing to UK governments,) But, it seems that the UK government has a bottomless pit of money for bailing out banks, so shortage of cash can’t be the reason.

If you are interested in looking up the track record of other private companies that keep public data, datalossdb.org could fill in an obsessive hour. Type the name of your chosen PFI company and see what turns up.

Blame the Cold War

Posted on by

Yet another “downside” of the thawing tensions between East and West was announced on the BBC today. Sir Edmund Burton was investigating the MOD’s woeful inability to prevent laptops going missing, and one of his conclusions was reported as:

Armed forces recruits from the “Facebook generation” do not take data security seriously enough, a Ministry of Defence security probe has found. (…)
In a highly critical report, he says the MoD had lost its Cold War discipline for data security and there was “little awareness” of its importance among staff. As a result a major security incident had been “inevitable”.

I sort of agree in that such a loss was (and still is) inevitable. However, I am not convinced it is as clear cut as the “facebook” generation or the end of the cold war.

First off, most of these breaches are not made by inexperienced recruits – they are not the sort of person who carries a laptop around with huge amounts of classified material. The people who do this are senior members of staff (even MPs…), I doubt Hazel Blears is part of the “facebook” generation – she simply had material on her machine that shouldn’t have been there and it got stolen. The MOD losses are similar.

Portable IT equipment is a high value target for theives, by its very nature it lends itself to being carted away easily. Of course people will try to steal things like this so any security plan must take that as an assumption and build from there (such as not putting unnecessary data there in the first place…). It is not the cold war’s fault for having the barefaced cheek to end.

The larger “issue” of all this, is despite the poor record, our government is continually trying to record and store more and more data on its citizens. Imagine the security compromise possible when a laptop containing 25,000,000 (not a made up number) people’s ID card details goes missing…

Remind me again why ID cards are good?